OpenSolaris_b135/lib/libsldap/common/ns_reads.c
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <libintl.h>
#include <ctype.h>
#include <syslog.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <priv.h>
#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_cache_door.h"
#include "ns_connmgmt.h"
#define _NIS_FILTER "nisdomain=*"
#define _NIS_DOMAIN "nisdomain"
static const char *nis_domain_attrs[] = {
_NIS_DOMAIN,
(char *)NULL
};
static int validate_filter(ns_ldap_cookie_t *cookie);
void
__ns_ldap_freeEntry(ns_ldap_entry_t *ep)
{
int j, k = 0;
if (ep == NULL)
return;
if (ep->attr_pair == NULL) {
free(ep);
return;
}
for (j = 0; j < ep->attr_count; j++) {
if (ep->attr_pair[j] == NULL)
continue;
if (ep->attr_pair[j]->attrname)
free(ep->attr_pair[j]->attrname);
if (ep->attr_pair[j]->attrvalue) {
for (k = 0; (k < ep->attr_pair[j]->value_count) &&
(ep->attr_pair[j]->attrvalue[k]); k++) {
free(ep->attr_pair[j]->attrvalue[k]);
}
free(ep->attr_pair[j]->attrvalue);
}
free(ep->attr_pair[j]);
}
free(ep->attr_pair);
free(ep);
}
static void
_freeControlList(LDAPControl ***ctrls)
{
LDAPControl **ctrl;
if (ctrls == NULL || *ctrls == NULL)
return;
for (ctrl = *ctrls; *ctrl != NULL; ctrl++)
ldap_control_free(*ctrl);
free(*ctrls);
*ctrls = NULL;
}
/*
* Convert attribute type in a RDN that has an attribute mapping to the
* original mappped type.
* e.g.
* cn<->cn-st and iphostnumber<->iphostnumber-st
* cn-st=aaa+iphostnumber-st=10.10.01.01
* is mapped to
* cn=aaa+iphostnumber=10.10.01.01
*
* Input - service: e.g. hosts, passwd etc.
* rdn: RDN
* Return: NULL - No attribute mapping in the RDN
* Non-NULL - The attribute type(s) in the RDN are mapped and
* the memory is allocated for the new rdn.
*
*/
static char *
_cvtRDN(const char *service, const char *rdn) {
char **attrs, **mapped_attrs, **mapp, *type, *value, *attr;
char *new_rdn = NULL;
int nAttr = 0, i, attr_mapped, len = 0;
/* Break down "type=value\0" pairs. Assume RDN is normalized */
if ((attrs = ldap_explode_rdn(rdn, 0)) == NULL)
return (NULL);
for (nAttr = 0; attrs[nAttr] != NULL; nAttr++);
if ((mapped_attrs = (char **)calloc(nAttr, sizeof (char *))) == NULL) {
ldap_value_free(attrs);
return (NULL);
}
attr_mapped = 0;
for (i = 0; i < nAttr; i++) {
/* Parse type=value pair */
if ((type = strtok_r(attrs[i], "=", &value)) == NULL ||
value == NULL)
goto cleanup;
/* Reverse map: e.g. cn-sm -> cn */
mapp = __ns_ldap_getOrigAttribute(service, type);
if (mapp != NULL && mapp[0] != NULL) {
/* The attribute mapping is found */
type = mapp[0];
attr_mapped = 1;
/* "type=value\0" */
len = strlen(type) + strlen(value) + 2;
/* Reconstruct type=value pair. A string is allocated */
if ((attr = (char *)calloc(1, len)) == NULL) {
__s_api_free2dArray(mapp);
goto cleanup;
}
(void) snprintf(attr, len, "%s=%s",
type, value);
mapped_attrs[i] = attr;
} else {
/*
* No attribute mapping. attrs[i] is going to be copied
* later. Restore "type\0value\0" back to
* "type=value\0".
*/
type[strlen(type)] = '=';
}
__s_api_free2dArray(mapp);
}
if (attr_mapped == 0)
/* No attribute mapping. Don't bother to reconstruct RDN */
goto cleanup;
len = 0;
/* Reconstruct RDN from type=value pairs */
for (i = 0; i < nAttr; i++) {
if (mapped_attrs[i])
len += strlen(mapped_attrs[i]);
else
len += strlen(attrs[i]);
/* Add 1 for "+" */
len++;
}
if ((new_rdn = (char *)calloc(1, ++len)) == NULL)
goto cleanup;
for (i = 0; i < nAttr; i++) {
if (i > 0)
/* Add seperator */
(void) strlcat(new_rdn, "+", len);
if (mapped_attrs[i])
(void) strlcat(new_rdn, mapped_attrs[i], len);
else
(void) strlcat(new_rdn, attrs[i], len);
}
cleanup:
ldap_value_free(attrs);
if (mapped_attrs) {
if (attr_mapped) {
for (i = 0; i < nAttr; i++) {
if (mapped_attrs[i])
free(mapped_attrs[i]);
}
}
free(mapped_attrs);
}
return (new_rdn);
}
/*
* Convert attribute type in a DN that has an attribute mapping to the
* original mappped type.
* e.g
* The mappings are cn<->cn-sm, iphostnumber<->iphostnumber-sm
*
* dn: cn-sm=aaa+iphostnumber-sm=9.9.9.9,dc=central,dc=sun,dc=com
* is converted to
* dn: cn=aaa+iphostnumber=9.9.9.9,dc=central,dc=sun,dc=com
*
* Input - service: e.g. hosts, passwd etc.
* dn: the value of a distinguished name
* Return - NULL: error
* non-NULL: A converted DN and the memory is allocated
*/
static char *
_cvtDN(const char *service, const char *dn) {
char **mapped_rdns;
char **rdns, *new_rdn, *new_dn = NULL;
int nRdn = 0, i, len = 0, rdn_mapped;
if (service == NULL || dn == NULL)
return (NULL);
if ((rdns = ldap_explode_dn(dn, 0)) == NULL)
return (NULL);
for (nRdn = 0; rdns[nRdn] != NULL; nRdn++);
if ((mapped_rdns = (char **)calloc(nRdn, sizeof (char *))) == NULL) {
ldap_value_free(rdns);
return (NULL);
}
rdn_mapped = 0;
/* Break down RDNs in a DN */
for (i = 0; i < nRdn; i++) {
if ((new_rdn = _cvtRDN(service, rdns[i])) != NULL) {
mapped_rdns[i] = new_rdn;
rdn_mapped = 1;
}
}
if (rdn_mapped == 0) {
/*
* No RDN contains any attribute mapping.
* Don't bother to reconstruct DN from RDN. Copy DN directly.
*/
new_dn = strdup(dn);
goto cleanup;
}
/*
* Reconstruct dn from RDNs.
* Calculate the length first.
*/
for (i = 0; i < nRdn; i++) {
if (mapped_rdns[i])
len += strlen(mapped_rdns[i]);
else
len += strlen(rdns[i]);
/* add 1 for ',' */
len ++;
}
if ((new_dn = (char *)calloc(1, ++len)) == NULL)
goto cleanup;
for (i = 0; i < nRdn; i++) {
if (i > 0)
/* Add seperator */
(void) strlcat(new_dn, ",", len);
if (mapped_rdns[i])
(void) strlcat(new_dn, mapped_rdns[i], len);
else
(void) strlcat(new_dn, rdns[i], len);
}
cleanup:
ldap_value_free(rdns);
if (mapped_rdns) {
if (rdn_mapped) {
for (i = 0; i < nRdn; i++) {
if (mapped_rdns[i])
free(mapped_rdns[i]);
}
}
free(mapped_rdns);
}
return (new_dn);
}
/*
* Convert a single ldap entry from a LDAPMessage
* into an ns_ldap_entry structure.
* Schema map the entry if specified in flags
*/
static int
__s_api_cvtEntry(LDAP *ld,
const char *service,
LDAPMessage *e,
int flags,
ns_ldap_entry_t **ret,
ns_ldap_error_t **error)
{
ns_ldap_entry_t *ep = NULL;
ns_ldap_attr_t **ap = NULL;
BerElement *ber;
char *attr = NULL;
char **vals = NULL;
char **mapping;
char *dn;
int nAttrs = 0;
int i, j, k = 0;
char **gecos_mapping = NULL;
int gecos_val_index[3] = { -1, -1, -1};
char errstr[MAXERROR];
int schema_mapping_existed = FALSE;
int gecos_mapping_existed = FALSE;
int gecos_attr_matched;
int auto_service = FALSE;
int rc = NS_LDAP_SUCCESS;
if (e == NULL || ret == NULL || error == NULL)
return (NS_LDAP_INVALID_PARAM);
*error = NULL;
ep = (ns_ldap_entry_t *)calloc(1, sizeof (ns_ldap_entry_t));
if (ep == NULL)
return (NS_LDAP_MEMORY);
if (service != NULL &&
(strncasecmp(service, "auto_", 5) == 0 ||
strcasecmp(service, "automount") == 0))
auto_service = TRUE;
/*
* see if schema mapping existed for the given service
*/
mapping = __ns_ldap_getOrigAttribute(service,
NS_HASH_SCHEMA_MAPPING_EXISTED);
if (mapping) {
schema_mapping_existed = TRUE;
__s_api_free2dArray(mapping);
mapping = NULL;
} else if (auto_service) {
/*
* If service == auto_* and no
* schema mapping found
* then try automount
* There is certain case that schema mapping exist
* but __ns_ldap_getOrigAttribute(service,
* NS_HASH_SCHEMA_MAPPING_EXISTED);
* returns NULL.
* e.g.
* NS_LDAP_ATTRIBUTEMAP = automount:automountMapName=AAA
* NS_LDAP_OBJECTCLASSMAP = automount:automountMap=MynisMap
* NS_LDAP_OBJECTCLASSMAP = automount:automount=MynisObject
*
* Make a check for schema_mapping_existed here
* so later on __s_api_convert_automountmapname won't be called
* unnecessarily. It is also used for attribute mapping
* and objectclass mapping.
*/
mapping = __ns_ldap_getOrigAttribute("automount",
NS_HASH_SCHEMA_MAPPING_EXISTED);
if (mapping) {
schema_mapping_existed = TRUE;
__s_api_free2dArray(mapping);
mapping = NULL;
}
}
nAttrs = 1; /* start with 1 for the DN attr */
for (attr = ldap_first_attribute(ld, e, &ber); attr != NULL;
attr = ldap_next_attribute(ld, e, ber)) {
nAttrs++;
ldap_memfree(attr);
attr = NULL;
}
ber_free(ber, 0);
ber = NULL;
ep->attr_count = nAttrs;
/*
* add 1 for "gecos" 1 to N attribute mapping,
* just in case it is needed.
* ep->attr_count will be updated later if that is true.
*/
ap = (ns_ldap_attr_t **)calloc(ep->attr_count + 1,
sizeof (ns_ldap_attr_t *));
if (ap == NULL) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
ep->attr_pair = ap;
/* DN attribute */
dn = ldap_get_dn(ld, e);
ap[0] = (ns_ldap_attr_t *)calloc(1, sizeof (ns_ldap_attr_t));
if (ap[0] == NULL) {
ldap_memfree(dn);
dn = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
if ((ap[0]->attrname = strdup("dn")) == NULL) {
ldap_memfree(dn);
dn = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_INVALID_PARAM);
}
ap[0]->value_count = 1;
if ((ap[0]->attrvalue = (char **)
calloc(2, sizeof (char *))) == NULL) {
ldap_memfree(dn);
dn = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
if (schema_mapping_existed && ((flags & NS_LDAP_NOT_CVT_DN) == 0))
ap[0]->attrvalue[0] = _cvtDN(service, dn);
else
ap[0]->attrvalue[0] = strdup(dn);
if (ap[0]->attrvalue[0] == NULL) {
ldap_memfree(dn);
dn = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
ldap_memfree(dn);
dn = NULL;
if ((flags & NS_LDAP_NOMAP) == 0 && auto_service &&
schema_mapping_existed) {
rc = __s_api_convert_automountmapname(service,
&ap[0]->attrvalue[0],
error);
if (rc != NS_LDAP_SUCCESS) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (rc);
}
}
/* other attributes */
for (attr = ldap_first_attribute(ld, e, &ber), j = 1;
attr != NULL && j != nAttrs;
attr = ldap_next_attribute(ld, e, ber), j++) {
/* allocate new attr name */
if ((ap[j] = (ns_ldap_attr_t *)
calloc(1, sizeof (ns_ldap_attr_t))) == NULL) {
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
if (gecos_mapping)
__s_api_free2dArray(gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_MEMORY);
}
if ((flags & NS_LDAP_NOMAP) || schema_mapping_existed == FALSE)
mapping = NULL;
else
mapping = __ns_ldap_getOrigAttribute(service, attr);
if (mapping == NULL && auto_service &&
schema_mapping_existed && (flags & NS_LDAP_NOMAP) == 0)
/*
* if service == auto_* and no schema mapping found
* and schema_mapping_existed is TRUE and NS_LDAP_NOMAP
* is not set then try automount e.g.
* NS_LDAP_ATTRIBUTEMAP = automount:automountMapName=AAA
*/
mapping = __ns_ldap_getOrigAttribute("automount",
attr);
if (mapping == NULL) {
if ((ap[j]->attrname = strdup(attr)) == NULL) {
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
if (gecos_mapping)
__s_api_free2dArray(gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_MEMORY);
}
} else {
/*
* for "gecos" 1 to N mapping,
* do not remove the mapped attribute,
* just create a new gecos attribute
* and append it to the end of the attribute list
*/
if (strcasecmp(mapping[0], "gecos") == 0) {
ap[j]->attrname = strdup(attr);
gecos_mapping_existed = TRUE;
} else
ap[j]->attrname = strdup(mapping[0]);
if (ap[j]->attrname == NULL) {
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
if (gecos_mapping)
__s_api_free2dArray(gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_MEMORY);
}
/*
* 1 to N attribute mapping processing
* is only done for "gecos"
*/
if (strcasecmp(mapping[0], "gecos") == 0) {
/*
* get attribute mapping for "gecos",
* need to know the number and order of the
* mapped attributes
*/
if (gecos_mapping == NULL) {
gecos_mapping =
__ns_ldap_getMappedAttributes(
service, mapping[0]);
if (gecos_mapping == NULL ||
gecos_mapping[0] == NULL) {
/*
* this should never happens,
* syslog the error
*/
(void) sprintf(errstr,
gettext(
"Attribute mapping "
"inconsistency "
"found for attributes "
"'%s' and '%s'."),
mapping[0], attr);
syslog(LOG_ERR, "libsldap: %s",
errstr);
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
__s_api_free2dArray(mapping);
mapping = NULL;
if (gecos_mapping)
__s_api_free2dArray(
gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_INTERNAL);
}
}
/*
* is this attribute the 1st, 2nd, or
* 3rd attr in the mapping list?
*/
gecos_attr_matched = FALSE;
for (i = 0; i < 3 && gecos_mapping[i]; i++) {
if (gecos_mapping[i] &&
strcasecmp(gecos_mapping[i],
attr) == 0) {
gecos_val_index[i] = j;
gecos_attr_matched = TRUE;
break;
}
}
if (gecos_attr_matched == FALSE) {
/*
* Not match found.
* This should never happens,
* syslog the error
*/
(void) sprintf(errstr,
gettext(
"Attribute mapping "
"inconsistency "
"found for attributes "
"'%s' and '%s'."),
mapping[0], attr);
syslog(LOG_ERR, "libsldap: %s", errstr);
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
__s_api_free2dArray(mapping);
mapping = NULL;
__s_api_free2dArray(gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_INTERNAL);
}
}
__s_api_free2dArray(mapping);
mapping = NULL;
}
if ((vals = ldap_get_values(ld, e, attr)) != NULL) {
if ((ap[j]->value_count =
ldap_count_values(vals)) == 0) {
ldap_value_free(vals);
vals = NULL;
continue;
} else {
ap[j]->attrvalue = (char **)
calloc(ap[j]->value_count+1,
sizeof (char *));
if (ap[j]->attrvalue == NULL) {
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
if (gecos_mapping)
__s_api_free2dArray(
gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_MEMORY);
}
}
/* map object classes if necessary */
if ((flags & NS_LDAP_NOMAP) == 0 &&
schema_mapping_existed && ap[j]->attrname &&
strcasecmp(ap[j]->attrname, "objectclass") == 0) {
for (k = 0; k < ap[j]->value_count; k++) {
mapping =
__ns_ldap_getOrigObjectClass(
service, vals[k]);
if (mapping == NULL && auto_service)
/*
* if service == auto_* and no
* schema mapping found
* then try automount
*/
mapping =
__ns_ldap_getOrigObjectClass(
"automount", vals[k]);
if (mapping == NULL) {
ap[j]->attrvalue[k] =
strdup(vals[k]);
} else {
ap[j]->attrvalue[k] =
strdup(mapping[0]);
__s_api_free2dArray(mapping);
mapping = NULL;
}
if (ap[j]->attrvalue[k] == NULL) {
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
if (gecos_mapping)
__s_api_free2dArray(
gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_MEMORY);
}
}
} else {
for (k = 0; k < ap[j]->value_count; k++) {
if ((ap[j]->attrvalue[k] =
strdup(vals[k])) == NULL) {
ber_free(ber, 0);
ber = NULL;
__ns_ldap_freeEntry(ep);
ep = NULL;
if (gecos_mapping)
__s_api_free2dArray(
gecos_mapping);
gecos_mapping = NULL;
return (NS_LDAP_MEMORY);
}
}
}
ap[j]->attrvalue[k] = NULL;
ldap_value_free(vals);
vals = NULL;
}
ldap_memfree(attr);
attr = NULL;
}
ber_free(ber, 0);
ber = NULL;
if (gecos_mapping) {
__s_api_free2dArray(gecos_mapping);
gecos_mapping = NULL;
}
/* special processing for gecos 1 to up to 3 attribute mapping */
if (schema_mapping_existed && gecos_mapping_existed) {
int f = -1;
for (i = 0; i < 3; i++) {
k = gecos_val_index[i];
/*
* f is the index of the first returned
* attribute which "gecos" attribute mapped to
*/
if (k != -1 && f == -1)
f = k;
if (k != -1 && ap[k]->value_count > 0 &&
ap[k]->attrvalue[0] &&
strlen(ap[k]->attrvalue[0]) > 0) {
if (k == f) {
/*
* Create and fill in the last reserved
* ap with the data from the "gecos"
* mapping attributes
*/
ap[nAttrs] = (ns_ldap_attr_t *)
calloc(1,
sizeof (ns_ldap_attr_t));
if (ap[nAttrs] == NULL) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
ap[nAttrs]->attrvalue = (char **)calloc(
2, sizeof (char *));
if (ap[nAttrs]->attrvalue == NULL) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
/* add 1 more for a possible "," */
ap[nAttrs]->attrvalue[0] =
(char *)calloc(
strlen(ap[f]->attrvalue[0]) +
2, 1);
if (ap[nAttrs]->attrvalue[0] == NULL) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
(void) strcpy(ap[nAttrs]->attrvalue[0],
ap[f]->attrvalue[0]);
ap[nAttrs]->attrname = strdup("gecos");
if (ap[nAttrs]->attrname == NULL) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
ap[nAttrs]->value_count = 1;
ep->attr_count = nAttrs + 1;
} else {
char *tmp = NULL;
/*
* realloc to add "," and
* ap[k]->attrvalue[0]
*/
tmp = (char *)realloc(
ap[nAttrs]->attrvalue[0],
strlen(ap[nAttrs]->
attrvalue[0]) +
strlen(ap[k]->
attrvalue[0]) + 2);
if (tmp == NULL) {
__ns_ldap_freeEntry(ep);
ep = NULL;
return (NS_LDAP_MEMORY);
}
ap[nAttrs]->attrvalue[0] = tmp;
(void) strcat(ap[nAttrs]->attrvalue[0],
",");
(void) strcat(ap[nAttrs]->attrvalue[0],
ap[k]->attrvalue[0]);
}
}
}
}
*ret = ep;
return (NS_LDAP_SUCCESS);
}
static int
__s_api_getEntry(ns_ldap_cookie_t *cookie)
{
ns_ldap_entry_t *curEntry = NULL;
int ret;
#ifdef DEBUG
(void) fprintf(stderr, "__s_api_getEntry START\n");
#endif
if (cookie->resultMsg == NULL) {
return (NS_LDAP_INVALID_PARAM);
}
ret = __s_api_cvtEntry(cookie->conn->ld, cookie->service,
cookie->resultMsg, cookie->i_flags,
&curEntry, &cookie->errorp);
if (ret != NS_LDAP_SUCCESS) {
return (ret);
}
if (cookie->result == NULL) {
cookie->result = (ns_ldap_result_t *)
calloc(1, sizeof (ns_ldap_result_t));
if (cookie->result == NULL) {
__ns_ldap_freeEntry(curEntry);
curEntry = NULL;
return (NS_LDAP_MEMORY);
}
cookie->result->entry = curEntry;
cookie->nextEntry = curEntry;
} else {
cookie->nextEntry->next = curEntry;
cookie->nextEntry = curEntry;
}
cookie->result->entries_count++;
return (NS_LDAP_SUCCESS);
}
static int
__s_api_get_cachemgr_data(const char *type,
const char *from, char **to)
{
union {
ldap_data_t s_d;
char s_b[DOORBUFFERSIZE];
} space;
ldap_data_t *sptr;
int ndata;
int adata;
int rc;
#ifdef DEBUG
(void) fprintf(stderr, "__s_api_get_cachemgr_data START\n");
#endif
/*
* We are not going to perform DN to domain mapping
* in the Standalone mode
*/
if (__s_api_isStandalone()) {
return (-1);
}
if (from == NULL || from[0] == '\0' || to == NULL)
return (-1);
*to = NULL;
(void) memset(space.s_b, 0, DOORBUFFERSIZE);
space.s_d.ldap_call.ldap_callnumber = GETCACHE;
(void) snprintf(space.s_d.ldap_call.ldap_u.domainname,
DOORBUFFERSIZE - sizeof (space.s_d.ldap_call.ldap_callnumber),
"%s%s%s",
type,
DOORLINESEP,
from);
ndata = sizeof (space);
adata = sizeof (ldap_call_t) +
strlen(space.s_d.ldap_call.ldap_u.domainname) + 1;
sptr = &space.s_d;
rc = __ns_ldap_trydoorcall(&sptr, &ndata, &adata);
if (rc != NS_CACHE_SUCCESS)
return (-1);
else
*to = strdup(sptr->ldap_ret.ldap_u.buff);
return (NS_LDAP_SUCCESS);
}
static int
__s_api_set_cachemgr_data(const char *type,
const char *from, const char *to)
{
union {
ldap_data_t s_d;
char s_b[DOORBUFFERSIZE];
} space;
ldap_data_t *sptr;
int ndata;
int adata;
int rc;
#ifdef DEBUG
(void) fprintf(stderr, "__s_api_set_cachemgr_data START\n");
#endif
/*
* We are not going to perform DN to domain mapping
* in the Standalone mode
*/
if (__s_api_isStandalone()) {
return (-1);
}
if ((from == NULL) || (from[0] == '\0') ||
(to == NULL) || (to[0] == '\0'))
return (-1);
(void) memset(space.s_b, 0, DOORBUFFERSIZE);
space.s_d.ldap_call.ldap_callnumber = SETCACHE;
(void) snprintf(space.s_d.ldap_call.ldap_u.domainname,
DOORBUFFERSIZE - sizeof (space.s_d.ldap_call.ldap_callnumber),
"%s%s%s%s%s",
type,
DOORLINESEP,
from,
DOORLINESEP,
to);
ndata = sizeof (space);
adata = sizeof (ldap_call_t) +
strlen(space.s_d.ldap_call.ldap_u.domainname) + 1;
sptr = &space.s_d;
rc = __ns_ldap_trydoorcall(&sptr, &ndata, &adata);
if (rc != NS_CACHE_SUCCESS)
return (-1);
return (NS_LDAP_SUCCESS);
}
static char *
__s_api_remove_rdn_space(char *rdn)
{
char *tf, *tl, *vf, *vl, *eqsign;
/* if no space(s) to remove, return */
if (strchr(rdn, SPACETOK) == NULL)
return (rdn);
/* if no '=' separator, return */
eqsign = strchr(rdn, '=');
if (eqsign == NULL)
return (rdn);
tf = rdn;
tl = eqsign - 1;
vf = eqsign + 1;
vl = rdn + strlen(rdn) - 1;
/* now two strings, type and value */
*eqsign = '\0';
/* remove type's leading spaces */
while (tf < tl && *tf == SPACETOK)
tf++;
/* remove type's trailing spaces */
while (tf < tl && *tl == SPACETOK)
tl--;
/* add '=' separator back */
*(++tl) = '=';
/* remove value's leading spaces */
while (vf < vl && *vf == SPACETOK)
vf++;
/* remove value's trailing spaces */
while (vf < vl && *vl == SPACETOK)
*vl-- = '\0';
/* move value up if necessary */
if (vf != tl + 1)
(void) strcpy(tl + 1, vf);
return (tf);
}
static
ns_ldap_cookie_t *
init_search_state_machine()
{
ns_ldap_cookie_t *cookie;
ns_config_t *cfg;
cookie = (ns_ldap_cookie_t *)calloc(1, sizeof (ns_ldap_cookie_t));
if (cookie == NULL)
return (NULL);
cookie->state = INIT;
/* assign other state variables */
cfg = __s_api_loadrefresh_config();
cookie->connectionId = -1;
if (cfg == NULL ||
cfg->paramList[NS_LDAP_SEARCH_TIME_P].ns_ptype == NS_UNKNOWN) {
cookie->search_timeout.tv_sec = NS_DEFAULT_SEARCH_TIMEOUT;
} else {
cookie->search_timeout.tv_sec =
cfg->paramList[NS_LDAP_SEARCH_TIME_P].ns_i;
}
if (cfg != NULL)
__s_api_release_config(cfg);
cookie->search_timeout.tv_usec = 0;
return (cookie);
}
static void
delete_search_cookie(ns_ldap_cookie_t *cookie)
{
if (cookie == NULL)
return;
if (cookie->connectionId > -1)
DropConnection(cookie->connectionId, cookie->i_flags);
if (cookie->filter)
free(cookie->filter);
if (cookie->i_filter)
free(cookie->i_filter);
if (cookie->service)
free(cookie->service);
if (cookie->sdlist)
(void) __ns_ldap_freeSearchDescriptors(&(cookie->sdlist));
if (cookie->result)
(void) __ns_ldap_freeResult(&cookie->result);
if (cookie->attribute)
__s_api_free2dArray(cookie->attribute);
if (cookie->errorp)
(void) __ns_ldap_freeError(&cookie->errorp);
if (cookie->reflist)
__s_api_deleteRefInfo(cookie->reflist);
if (cookie->basedn)
free(cookie->basedn);
if (cookie->ctrlCookie)
ber_bvfree(cookie->ctrlCookie);
_freeControlList(&cookie->p_serverctrls);
if (cookie->resultctrl)
ldap_controls_free(cookie->resultctrl);
free(cookie);
}
static int
get_mapped_filter(ns_ldap_cookie_t *cookie, char **new_filter)
{
typedef struct filter_mapping_info {
char oc_or_attr;
char *name_start;
char *name_end;
char *veq_pos;
char *from_name;
char *to_name;
char **mapping;
} filter_mapping_info_t;
char *c, *last_copied;
char *filter_c, *filter_c_next;
char *key, *tail, *head;
char errstr[MAXERROR];
int num_eq = 0, num_veq = 0;
int in_quote = FALSE;
int is_value = FALSE;
int i, j, oc_len, len;
int at_least_one = FALSE;
filter_mapping_info_t **info, *info1;
char **mapping;
char *service, *filter, *err;
int auto_service = FALSE;
if (cookie == NULL || new_filter == NULL)
return (NS_LDAP_INVALID_PARAM);
*new_filter = NULL;
service = cookie->service;
filter = cookie->filter;
/*
* count the number of '=' char
*/
for (c = filter; *c; c++) {
if (*c == TOKENSEPARATOR)
num_eq++;
}
if (service != NULL && strncasecmp(service, "auto_", 5) == 0)
auto_service = TRUE;
/*
* See if schema mapping existed for the given service.
* If not, just return success.
*/
mapping = __ns_ldap_getOrigAttribute(service,
NS_HASH_SCHEMA_MAPPING_EXISTED);
if (mapping == NULL && auto_service)
/*
* if service == auto_* and no
* schema mapping found
* then try automount
*/
mapping = __ns_ldap_getOrigAttribute(
"automount", NS_HASH_SCHEMA_MAPPING_EXISTED);
if (mapping)
__s_api_free2dArray(mapping);
else
return (NS_LDAP_SUCCESS);
/*
* no '=' sign, just say OK and return nothing
*/
if (num_eq == 0)
return (NS_LDAP_SUCCESS);
/*
* Make a copy of the filter string
* for saving the name of the objectclasses or
* attributes that need to be passed to the
* objectclass or attribute mapping functions.
* pointer "info->from_name" points to the locations
* within this string.
*
* The input filter string, filter, will be used
* to indicate where these names start and end.
* pointers "info->name_start" and "info->name_end"
* point to locations within the input filter string,
* and are used at the end of this function to
* merge the original filter data with the
* mapped objectclass or attribute names.
*/
filter_c = strdup(filter);
if (filter_c == NULL)
return (NS_LDAP_MEMORY);
filter_c_next = filter_c;
/*
* get memory for info arrays
*/
info = (filter_mapping_info_t **)calloc(num_eq + 1,
sizeof (filter_mapping_info_t *));
if (info == NULL) {
free(filter_c);
return (NS_LDAP_MEMORY);
}
/*
* find valid '=' for further processing,
* ignore the "escaped =" (.i.e. "\="), or
* "=" in quoted string
*/
for (c = filter_c; *c; c++) {
switch (*c) {
case TOKENSEPARATOR:
if (!in_quote && !is_value) {
info1 = (filter_mapping_info_t *)calloc(1,
sizeof (filter_mapping_info_t));
if (!info1) {
free(filter_c);
for (i = 0; i < num_veq; i++)
free(info[i]);
free(info);
return (NS_LDAP_MEMORY);
}
info[num_veq] = info1;
/*
* remember the location of this "="
*/
info[num_veq++]->veq_pos = c;
/*
* skip until the end of the attribute value
*/
is_value = TRUE;
}
break;
case CPARATOK:
/*
* mark the end of the attribute value
*/
if (!in_quote)
is_value = FALSE;
break;
case QUOTETOK:
/*
* switch on/off the in_quote mode
*/
in_quote = (in_quote == FALSE);
break;
case '\\':
/*
* ignore escape characters
* don't skip if next char is '\0'
*/
if (!in_quote)
if (*(++c) == '\0')
c--;
break;
}
}
/*
* for each valid "=" found, get the name to
* be mapped
*/
oc_len = strlen("objectclass");
for (i = 0; i < num_veq; i++) {
/*
* look at the left side of "=" to see
* if assertion is "objectclass=<ocname>"
* or "<attribute name>=<attribute value>"
*
* first skip spaces before "=".
* Note that filter_c_next may not point to the
* start of the filter string. For i > 0,
* it points to the end of the last name processed + 2
*/
for (tail = info[i]->veq_pos; (tail > filter_c_next) &&
(*(tail - 1) == SPACETOK); tail--)
;
/*
* mark the end of the left side string (the key)
*/
*tail = '\0';
info[i]->name_end = tail - filter_c - 1 + filter;
/*
* find the start of the key
*/
key = filter_c_next;
for (c = tail; filter_c_next <= c; c--) {
/* OPARATOK is '(' */
if (*c == OPARATOK ||
*c == SPACETOK) {
key = c + 1;
break;
}
}
info[i]->name_start = key - filter_c + filter;
if ((key + oc_len) <= tail) {
if (strncasecmp(key, "objectclass",
oc_len) == 0) {
/*
* assertion is "objectclass=ocname",
* ocname is the one needs to be mapped
*
* skip spaces after "=" to find start
* of the ocname
*/
head = info[i]->veq_pos;
for (head = info[i]->veq_pos + 1;
*head && *head == SPACETOK; head++)
;
/* ignore empty ocname */
if (!(*head))
continue;
info[i]->name_start = head - filter_c +
filter;
/*
* now find the end of the ocname
*/
for (c = head; ; c++) {
/* CPARATOK is ')' */
if (*c == CPARATOK ||
*c == '\0' ||
*c == SPACETOK) {
*c = '\0';
info[i]->name_end =
c - filter_c - 1 +
filter;
filter_c_next = c + 1;
info[i]->oc_or_attr = 'o';
info[i]->from_name = head;
break;
}
}
}
}
/*
* assertion is not "objectclass=ocname",
* assume assertion is "<key> = <value>",
* <key> is the one needs to be mapped
*/
if (info[i]->from_name == NULL && strlen(key) > 0) {
info[i]->oc_or_attr = 'a';
info[i]->from_name = key;
}
}
/* perform schema mapping */
for (i = 0; i < num_veq; i++) {
if (info[i]->from_name == NULL)
continue;
if (info[i]->oc_or_attr == 'a')
info[i]->mapping =
__ns_ldap_getMappedAttributes(service,
info[i]->from_name);
else
info[i]->mapping =
__ns_ldap_getMappedObjectClass(service,
info[i]->from_name);
if (info[i]->mapping == NULL && auto_service) {
/*
* If no mapped attribute/objectclass is found
* and service == auto*
* try to find automount's
* mapped attribute/objectclass
*/
if (info[i]->oc_or_attr == 'a')
info[i]->mapping =
__ns_ldap_getMappedAttributes("automount",
info[i]->from_name);
else
info[i]->mapping =
__ns_ldap_getMappedObjectClass("automount",
info[i]->from_name);
}
if (info[i]->mapping == NULL ||
info[i]->mapping[0] == NULL) {
info[i]->to_name = NULL;
} else if (info[i]->mapping[1] == NULL) {
info[i]->to_name = info[i]->mapping[0];
at_least_one = TRUE;
} else {
__s_api_free2dArray(info[i]->mapping);
/*
* multiple mapping
* not allowed
*/
(void) sprintf(errstr,
gettext(
"Multiple attribute or objectclass "
"mapping for '%s' in filter "
"'%s' not allowed."),
info[i]->from_name, filter);
err = strdup(errstr);
if (err)
MKERROR(LOG_WARNING, cookie->errorp,
NS_CONFIG_SYNTAX,
err, NULL);
free(filter_c);
for (j = 0; j < num_veq; j++) {
if (info[j]->mapping)
__s_api_free2dArray(
info[j]->mapping);
free(info[j]);
}
free(info);
return (NS_LDAP_CONFIG);
}
}
if (at_least_one) {
len = strlen(filter);
last_copied = filter - 1;
for (i = 0; i < num_veq; i++) {
if (info[i]->to_name)
len += strlen(info[i]->to_name);
}
*new_filter = (char *)calloc(1, len);
if (*new_filter == NULL) {
free(filter_c);
for (j = 0; j < num_veq; j++) {
if (info[j]->mapping)
__s_api_free2dArray(
info[j]->mapping);
free(info[j]);
}
free(info);
return (NS_LDAP_MEMORY);
}
for (i = 0; i < num_veq; i++) {
if (info[i]->to_name != NULL &&
info[i]->to_name != NULL) {
/*
* copy the original filter data
* between the last name and current
* name
*/
if ((last_copied + 1) != info[i]->name_start)
(void) strncat(*new_filter,
last_copied + 1,
info[i]->name_start -
last_copied - 1);
/* the data is copied */
last_copied = info[i]->name_end;
/*
* replace the name with
* the mapped name
*/
(void) strcat(*new_filter, info[i]->to_name);
}
/* copy the filter data after the last name */
if (i == (num_veq -1) &&
info[i]->name_end <
(filter + strlen(filter)))
(void) strncat(*new_filter, last_copied + 1,
filter + strlen(filter) -
last_copied - 1);
}
}
/* free memory */
free(filter_c);
for (j = 0; j < num_veq; j++) {
if (info[j]->mapping)
__s_api_free2dArray(info[j]->mapping);
free(info[j]);
}
free(info);
return (NS_LDAP_SUCCESS);
}
static int
setup_next_search(ns_ldap_cookie_t *cookie)
{
ns_ldap_search_desc_t *dptr;
int scope;
char *filter, *str;
int baselen;
int rc;
void **param;
dptr = *cookie->sdpos;
scope = cookie->i_flags & (NS_LDAP_SCOPE_BASE |
NS_LDAP_SCOPE_ONELEVEL |
NS_LDAP_SCOPE_SUBTREE);
if (scope)
cookie->scope = scope;
else
cookie->scope = dptr->scope;
switch (cookie->scope) {
case NS_LDAP_SCOPE_BASE:
cookie->scope = LDAP_SCOPE_BASE;
break;
case NS_LDAP_SCOPE_ONELEVEL:
cookie->scope = LDAP_SCOPE_ONELEVEL;
break;
case NS_LDAP_SCOPE_SUBTREE:
cookie->scope = LDAP_SCOPE_SUBTREE;
break;
}
filter = NULL;
if (cookie->use_filtercb && cookie->init_filter_cb &&
dptr->filter && strlen(dptr->filter) > 0) {
(*cookie->init_filter_cb)(dptr, &filter,
cookie->userdata);
}
if (filter == NULL) {
if (cookie->i_filter == NULL) {
cookie->err_rc = NS_LDAP_INVALID_PARAM;
return (-1);
} else {
if (cookie->filter)
free(cookie->filter);
cookie->filter = strdup(cookie->i_filter);
if (cookie->filter == NULL) {
cookie->err_rc = NS_LDAP_MEMORY;
return (-1);
}
}
} else {
if (cookie->filter)
free(cookie->filter);
cookie->filter = strdup(filter);
free(filter);
if (cookie->filter == NULL) {
cookie->err_rc = NS_LDAP_MEMORY;
return (-1);
}
}
/*
* perform attribute/objectclass mapping on filter
*/
filter = NULL;
if (cookie->service) {
rc = get_mapped_filter(cookie, &filter);
if (rc != NS_LDAP_SUCCESS) {
cookie->err_rc = rc;
return (-1);
} else {
/*
* get_mapped_filter returns
* NULL filter pointer, if
* no mapping was done
*/
if (filter) {
free(cookie->filter);
cookie->filter = filter;
}
}
}
/*
* validate filter to make sure it's legal
* [remove redundant ()'s]
*/
rc = validate_filter(cookie);
if (rc != NS_LDAP_SUCCESS) {
cookie->err_rc = rc;
return (-1);
}
baselen = strlen(dptr->basedn);
if (baselen > 0 && dptr->basedn[baselen-1] == COMMATOK) {
rc = __ns_ldap_getParam(NS_LDAP_SEARCH_BASEDN_P,
(void ***)¶m, &cookie->errorp);
if (rc != NS_LDAP_SUCCESS) {
cookie->err_rc = rc;
return (-1);
}
str = ((char **)param)[0];
baselen += strlen(str)+1;
if (cookie->basedn)
free(cookie->basedn);
cookie->basedn = (char *)malloc(baselen);
if (cookie->basedn == NULL) {
cookie->err_rc = NS_LDAP_MEMORY;
return (-1);
}
(void) strcpy(cookie->basedn, dptr->basedn);
(void) strcat(cookie->basedn, str);
(void) __ns_ldap_freeParam(¶m);
} else {
if (cookie->basedn)
free(cookie->basedn);
cookie->basedn = strdup(dptr->basedn);
}
return (0);
}
static int
setup_referral_search(ns_ldap_cookie_t *cookie)
{
ns_referral_info_t *ref;
ref = cookie->refpos;
cookie->scope = ref->refScope;
if (cookie->filter) {
free(cookie->filter);
}
cookie->filter = strdup(ref->refFilter);
if (cookie->basedn) {
free(cookie->basedn);
}
cookie->basedn = strdup(ref->refDN);
if (cookie->filter == NULL || cookie->basedn == NULL) {
cookie->err_rc = NS_LDAP_MEMORY;
return (-1);
}
return (0);
}
static int
get_current_session(ns_ldap_cookie_t *cookie)
{
ConnectionID connectionId = -1;
Connection *conp = NULL;
int rc;
int fail_if_new_pwd_reqd = 1;
rc = __s_api_getConnection(NULL, cookie->i_flags,
cookie->i_auth, &connectionId, &conp,
&cookie->errorp, fail_if_new_pwd_reqd,
cookie->nopasswd_acct_mgmt, cookie->conn_user);
/*
* If password control attached in *cookie->errorp,
* e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
* free the error structure (we do not need
* the sec_to_expired info).
* Reset rc to NS_LDAP_SUCCESS.
*/
if (rc == NS_LDAP_SUCCESS_WITH_INFO) {
(void) __ns_ldap_freeError(
&cookie->errorp);
cookie->errorp = NULL;
rc = NS_LDAP_SUCCESS;
}
if (rc != NS_LDAP_SUCCESS) {
cookie->err_rc = rc;
return (-1);
}
cookie->conn = conp;
cookie->connectionId = connectionId;
return (0);
}
static int
get_next_session(ns_ldap_cookie_t *cookie)
{
ConnectionID connectionId = -1;
Connection *conp = NULL;
int rc;
int fail_if_new_pwd_reqd = 1;
if (cookie->connectionId > -1) {
DropConnection(cookie->connectionId, cookie->i_flags);
cookie->connectionId = -1;
}
/* If using a MT connection, return it. */
if (cookie->conn_user != NULL &&
cookie->conn_user->conn_mt != NULL)
__s_api_conn_mt_return(cookie->conn_user);
rc = __s_api_getConnection(NULL, cookie->i_flags,
cookie->i_auth, &connectionId, &conp,
&cookie->errorp, fail_if_new_pwd_reqd,
cookie->nopasswd_acct_mgmt, cookie->conn_user);
/*
* If password control attached in *cookie->errorp,
* e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
* free the error structure (we do not need
* the sec_to_expired info).
* Reset rc to NS_LDAP_SUCCESS.
*/
if (rc == NS_LDAP_SUCCESS_WITH_INFO) {
(void) __ns_ldap_freeError(
&cookie->errorp);
cookie->errorp = NULL;
rc = NS_LDAP_SUCCESS;
}
if (rc != NS_LDAP_SUCCESS) {
cookie->err_rc = rc;
return (-1);
}
cookie->conn = conp;
cookie->connectionId = connectionId;
return (0);
}
static int
get_referral_session(ns_ldap_cookie_t *cookie)
{
ConnectionID connectionId = -1;
Connection *conp = NULL;
int rc;
int fail_if_new_pwd_reqd = 1;
if (cookie->connectionId > -1) {
DropConnection(cookie->connectionId, cookie->i_flags);
cookie->connectionId = -1;
}
/* set it up to use a connection opened for referral */
if (cookie->conn_user != NULL) {
/* If using a MT connection, return it. */
if (cookie->conn_user->conn_mt != NULL)
__s_api_conn_mt_return(cookie->conn_user);
cookie->conn_user->referral = B_TRUE;
}
rc = __s_api_getConnection(cookie->refpos->refHost, 0,
cookie->i_auth, &connectionId, &conp,
&cookie->errorp, fail_if_new_pwd_reqd,
cookie->nopasswd_acct_mgmt, cookie->conn_user);
/*
* If password control attached in *cookie->errorp,
* e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
* free the error structure (we do not need
* the sec_to_expired info).
* Reset rc to NS_LDAP_SUCCESS.
*/
if (rc == NS_LDAP_SUCCESS_WITH_INFO) {
(void) __ns_ldap_freeError(
&cookie->errorp);
cookie->errorp = NULL;
rc = NS_LDAP_SUCCESS;
}
if (rc != NS_LDAP_SUCCESS) {
cookie->err_rc = rc;
return (-1);
}
cookie->conn = conp;
cookie->connectionId = connectionId;
return (0);
}
static int
paging_supported(ns_ldap_cookie_t *cookie)
{
int rc;
cookie->listType = 0;
rc = __s_api_isCtrlSupported(cookie->conn,
LDAP_CONTROL_VLVREQUEST);
if (rc == NS_LDAP_SUCCESS) {
cookie->listType = VLVCTRLFLAG;
return (1);
}
rc = __s_api_isCtrlSupported(cookie->conn,
LDAP_CONTROL_SIMPLE_PAGE);
if (rc == NS_LDAP_SUCCESS) {
cookie->listType = SIMPLEPAGECTRLFLAG;
return (1);
}
return (0);
}
static int
setup_vlv_params(ns_ldap_cookie_t *cookie)
{
LDAPControl **ctrls;
LDAPsortkey **sortkeylist;
LDAPControl *sortctrl = NULL;
LDAPControl *vlvctrl = NULL;
LDAPVirtualList vlist;
int rc;
_freeControlList(&cookie->p_serverctrls);
rc = ldap_create_sort_keylist(&sortkeylist, SORTKEYLIST);
if (rc != LDAP_SUCCESS) {
(void) ldap_get_option(cookie->conn->ld,
LDAP_OPT_ERROR_NUMBER, &rc);
return (rc);
}
rc = ldap_create_sort_control(cookie->conn->ld,
sortkeylist, 1, &sortctrl);
ldap_free_sort_keylist(sortkeylist);
if (rc != LDAP_SUCCESS) {
(void) ldap_get_option(cookie->conn->ld,
LDAP_OPT_ERROR_NUMBER, &rc);
return (rc);
}
vlist.ldvlist_index = cookie->index;
vlist.ldvlist_size = 0;
vlist.ldvlist_before_count = 0;
vlist.ldvlist_after_count = LISTPAGESIZE-1;
vlist.ldvlist_attrvalue = NULL;
vlist.ldvlist_extradata = NULL;
rc = ldap_create_virtuallist_control(cookie->conn->ld,
&vlist, &vlvctrl);
if (rc != LDAP_SUCCESS) {
ldap_control_free(sortctrl);
(void) ldap_get_option(cookie->conn->ld, LDAP_OPT_ERROR_NUMBER,
&rc);
return (rc);
}
ctrls = (LDAPControl **)calloc(3, sizeof (LDAPControl *));
if (ctrls == NULL) {
ldap_control_free(sortctrl);
ldap_control_free(vlvctrl);
return (LDAP_NO_MEMORY);
}
ctrls[0] = sortctrl;
ctrls[1] = vlvctrl;
cookie->p_serverctrls = ctrls;
return (LDAP_SUCCESS);
}
static int
setup_simplepg_params(ns_ldap_cookie_t *cookie)
{
LDAPControl **ctrls;
LDAPControl *pgctrl = NULL;
int rc;
_freeControlList(&cookie->p_serverctrls);
rc = ldap_create_page_control(cookie->conn->ld, LISTPAGESIZE,
cookie->ctrlCookie, (char)0, &pgctrl);
if (rc != LDAP_SUCCESS) {
(void) ldap_get_option(cookie->conn->ld, LDAP_OPT_ERROR_NUMBER,
&rc);
return (rc);
}
ctrls = (LDAPControl **)calloc(2, sizeof (LDAPControl *));
if (ctrls == NULL) {
ldap_control_free(pgctrl);
return (LDAP_NO_MEMORY);
}
ctrls[0] = pgctrl;
cookie->p_serverctrls = ctrls;
return (LDAP_SUCCESS);
}
static void
proc_result_referrals(ns_ldap_cookie_t *cookie)
{
int errCode, i, rc;
char **referrals = NULL;
/*
* Only follow one level of referrals, i.e.
* if already in referral mode, do nothing
*/
if (cookie->refpos == NULL) {
cookie->new_state = END_RESULT;
rc = ldap_parse_result(cookie->conn->ld,
cookie->resultMsg,
&errCode, NULL,
NULL, &referrals,
NULL, 0);
if (rc != NS_LDAP_SUCCESS) {
(void) ldap_get_option(cookie->conn->ld,
LDAP_OPT_ERROR_NUMBER,
&cookie->err_rc);
cookie->new_state = LDAP_ERROR;
return;
}
if (errCode == LDAP_REFERRAL) {
for (i = 0; referrals[i] != NULL;
i++) {
/* add to referral list */
rc = __s_api_addRefInfo(
&cookie->reflist,
referrals[i],
cookie->basedn,
&cookie->scope,
cookie->filter,
cookie->conn->ld);
if (rc != NS_LDAP_SUCCESS) {
cookie->new_state =
ERROR;
break;
}
}
ldap_value_free(referrals);
}
}
}
static void
proc_search_references(ns_ldap_cookie_t *cookie)
{
char **refurls = NULL;
int i, rc;
/*
* Only follow one level of referrals, i.e.
* if already in referral mode, do nothing
*/
if (cookie->refpos == NULL) {
refurls = ldap_get_reference_urls(
cookie->conn->ld,
cookie->resultMsg);
if (refurls == NULL) {
(void) ldap_get_option(cookie->conn->ld,
LDAP_OPT_ERROR_NUMBER,
&cookie->err_rc);
cookie->new_state = LDAP_ERROR;
return;
}
for (i = 0; refurls[i] != NULL; i++) {
/* add to referral list */
rc = __s_api_addRefInfo(
&cookie->reflist,
refurls[i],
cookie->basedn,
&cookie->scope,
cookie->filter,
cookie->conn->ld);
if (rc != NS_LDAP_SUCCESS) {
cookie->new_state =
ERROR;
break;
}
}
/* free allocated storage */
for (i = 0; refurls[i] != NULL; i++)
free(refurls[i]);
}
}
static ns_state_t
multi_result(ns_ldap_cookie_t *cookie)
{
char errstr[MAXERROR];
char *err;
ns_ldap_error_t **errorp = NULL;
LDAPControl **retCtrls = NULL;
int i, rc;
int errCode;
int finished = 0;
unsigned long target_posp = 0;
unsigned long list_size = 0;
unsigned int count = 0;
char **referrals = NULL;
if (cookie->listType == VLVCTRLFLAG) {
rc = ldap_parse_result(cookie->conn->ld, cookie->resultMsg,
&errCode, NULL, NULL, &referrals, &retCtrls, 0);
if (rc != LDAP_SUCCESS) {
(void) ldap_get_option(cookie->conn->ld,
LDAP_OPT_ERROR_NUMBER,
&cookie->err_rc);
(void) sprintf(errstr,
gettext("LDAP ERROR (%d): %s.\n"),
cookie->err_rc,
gettext(ldap_err2string(cookie->err_rc)));
err = strdup(errstr);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err,
NULL);
cookie->err_rc = NS_LDAP_INTERNAL;
cookie->errorp = *errorp;
return (LDAP_ERROR);
}
if (errCode == LDAP_REFERRAL) {
for (i = 0; referrals[i] != NULL;
i++) {
/* add to referral list */
rc = __s_api_addRefInfo(
&cookie->reflist,
referrals[i],
cookie->basedn,
&cookie->scope,
cookie->filter,
cookie->conn->ld);
if (rc != NS_LDAP_SUCCESS) {
ldap_value_free(
referrals);
if (retCtrls)
ldap_controls_free(
retCtrls);
return (ERROR);
}
}
ldap_value_free(referrals);
if (retCtrls)
ldap_controls_free(retCtrls);
return (END_RESULT);
}
if (retCtrls) {
rc = ldap_parse_virtuallist_control(
cookie->conn->ld, retCtrls,
&target_posp, &list_size, &errCode);
if (rc == LDAP_SUCCESS) {
cookie->index = target_posp + LISTPAGESIZE;
if (cookie->index > list_size) {
finished = 1;
}
}
ldap_controls_free(retCtrls);
retCtrls = NULL;
}
else
finished = 1;
} else if (cookie->listType == SIMPLEPAGECTRLFLAG) {
rc = ldap_parse_result(cookie->conn->ld, cookie->resultMsg,
&errCode, NULL, NULL, &referrals, &retCtrls, 0);
if (rc != LDAP_SUCCESS) {
(void) ldap_get_option(cookie->conn->ld,
LDAP_OPT_ERROR_NUMBER,
&cookie->err_rc);
(void) sprintf(errstr,
gettext("LDAP ERROR (%d): %s.\n"),
cookie->err_rc,
gettext(ldap_err2string(cookie->err_rc)));
err = strdup(errstr);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err,
NULL);
cookie->err_rc = NS_LDAP_INTERNAL;
cookie->errorp = *errorp;
return (LDAP_ERROR);
}
if (errCode == LDAP_REFERRAL) {
for (i = 0; referrals[i] != NULL;
i++) {
/* add to referral list */
rc = __s_api_addRefInfo(
&cookie->reflist,
referrals[i],
cookie->basedn,
&cookie->scope,
cookie->filter,
cookie->conn->ld);
if (rc != NS_LDAP_SUCCESS) {
ldap_value_free(
referrals);
if (retCtrls)
ldap_controls_free(
retCtrls);
return (ERROR);
}
}
ldap_value_free(referrals);
if (retCtrls)
ldap_controls_free(retCtrls);
return (END_RESULT);
}
if (retCtrls) {
if (cookie->ctrlCookie)
ber_bvfree(cookie->ctrlCookie);
cookie->ctrlCookie = NULL;
rc = ldap_parse_page_control(
cookie->conn->ld, retCtrls,
&count, &cookie->ctrlCookie);
if (rc == LDAP_SUCCESS) {
if ((cookie->ctrlCookie == NULL) ||
(cookie->ctrlCookie->bv_val == NULL) ||
(cookie->ctrlCookie->bv_len == 0))
finished = 1;
}
ldap_controls_free(retCtrls);
retCtrls = NULL;
}
else
finished = 1;
}
if (!finished && cookie->listType == VLVCTRLFLAG)
return (NEXT_VLV);
if (!finished && cookie->listType == SIMPLEPAGECTRLFLAG)
return (NEXT_PAGE);
if (finished)
return (END_RESULT);
return (ERROR);
}
/*
* clear_results(ns_ldap_cookie_t):
*
* Attempt to obtain remnants of ldap responses and free them. If remnants are
* not obtained within a certain time period tell the server we wish to abandon
* the request.
*
* Note that we do not initially tell the server to abandon the request as that
* can be an expensive operation for the server, while it is cheap for us to
* just flush the input.
*
* If something was to remain in libldap queue as a result of some error then
* it would be freed later during drop connection call or when no other
* requests share the connection.
*/
static void
clear_results(ns_ldap_cookie_t *cookie)
{
int rc;
if (cookie->conn != NULL && cookie->conn->ld != NULL &&
(cookie->connectionId != -1 ||
(cookie->conn_user != NULL &&
cookie->conn_user->conn_mt != NULL)) &&
cookie->msgId != 0) {
/*
* We need to cleanup the rest of response (if there is such)
* and LDAP abandon is too heavy for LDAP servers, so we will
* wait for the rest of response till timeout and "process" it.
*/
rc = ldap_result(cookie->conn->ld, cookie->msgId, LDAP_MSG_ALL,
(struct timeval *)&cookie->search_timeout,
&cookie->resultMsg);
if (rc != -1 && rc != 0 && cookie->resultMsg != NULL)
(void) ldap_msgfree(cookie->resultMsg);
/*
* If there was timeout then we will send ABANDON request to
* LDAP server to decrease load.
*/
if (rc == 0)
(void) ldap_abandon_ext(cookie->conn->ld, cookie->msgId,
NULL, NULL);
/* Disassociate cookie with msgId */
cookie->msgId = 0;
}
}
/*
* This state machine performs one or more LDAP searches to a given
* directory server using service search descriptors and schema
* mapping as appropriate. The approximate pseudocode for
* this routine is the following:
* Given the current configuration [set/reset connection etc.]
* and the current service search descriptor list
* or default search filter parameters
* foreach (service search filter) {
* initialize the filter [via filter_init if appropriate]
* get a valid session/connection (preferably the current one)
* Recover if the connection is lost
* perform the search
* foreach (result entry) {
* process result [via callback if appropriate]
* save result for caller if accepted.
* exit and return all collected if allResults found;
* }
* }
* return collected results and exit
*/
static
ns_state_t
search_state_machine(ns_ldap_cookie_t *cookie, ns_state_t state, int cycle)
{
char errstr[MAXERROR];
char *err;
int rc, ret;
int rc_save;
ns_ldap_entry_t *nextEntry;
ns_ldap_error_t *error = NULL;
ns_ldap_error_t **errorp;
struct timeval tv;
errorp = &error;
cookie->state = state;
errstr[0] = '\0';
for (;;) {
switch (cookie->state) {
case CLEAR_RESULTS:
clear_results(cookie);
cookie->new_state = EXIT;
break;
case GET_ACCT_MGMT_INFO:
/*
* Set the flag to get ldap account management controls.
*/
cookie->nopasswd_acct_mgmt = 1;
cookie->new_state = INIT;
break;
case EXIT:
/* state engine/connection cleaned up in delete */
if (cookie->attribute) {
__s_api_free2dArray(cookie->attribute);
cookie->attribute = NULL;
}
if (cookie->reflist) {
__s_api_deleteRefInfo(cookie->reflist);
cookie->reflist = NULL;
}
return (EXIT);
case INIT:
cookie->sdpos = NULL;
cookie->new_state = NEXT_SEARCH_DESCRIPTOR;
if (cookie->attribute) {
__s_api_free2dArray(cookie->attribute);
cookie->attribute = NULL;
}
if ((cookie->i_flags & NS_LDAP_NOMAP) == 0 &&
cookie->i_attr) {
cookie->attribute =
__ns_ldap_mapAttributeList(
cookie->service,
cookie->i_attr);
}
break;
case REINIT:
/* Check if we've reached MAX retries. */
cookie->retries++;
if (cookie->retries > NS_LIST_TRY_MAX - 1) {
cookie->new_state = LDAP_ERROR;
break;
}
/*
* Even if we still have retries left, check
* if retry is possible.
*/
if (cookie->conn_user != NULL) {
int retry;
ns_conn_mgmt_t *cmg;
cmg = cookie->conn_user->conn_mgmt;
retry = cookie->conn_user->retry;
if (cmg != NULL && cmg->cfg_reloaded == 1)
retry = 1;
if (retry == 0) {
cookie->new_state = LDAP_ERROR;
break;
}
}
/*
* Free results if any, reset to the first
* search descriptor and start a new session.
*/
if (cookie->resultMsg != NULL) {
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
}
(void) __ns_ldap_freeError(&cookie->errorp);
(void) __ns_ldap_freeResult(&cookie->result);
cookie->sdpos = cookie->sdlist;
cookie->err_from_result = 0;
cookie->err_rc = 0;
cookie->new_state = NEXT_SESSION;
break;
case NEXT_SEARCH_DESCRIPTOR:
/* get next search descriptor */
if (cookie->sdpos == NULL) {
cookie->sdpos = cookie->sdlist;
cookie->new_state = GET_SESSION;
} else {
cookie->sdpos++;
cookie->new_state = NEXT_SEARCH;
}
if (*cookie->sdpos == NULL)
cookie->new_state = EXIT;
break;
case GET_SESSION:
if (get_current_session(cookie) < 0)
cookie->new_state = NEXT_SESSION;
else
cookie->new_state = NEXT_SEARCH;
break;
case NEXT_SESSION:
if (get_next_session(cookie) < 0)
cookie->new_state = RESTART_SESSION;
else
cookie->new_state = NEXT_SEARCH;
break;
case RESTART_SESSION:
if (cookie->i_flags & NS_LDAP_HARD) {
cookie->new_state = NEXT_SESSION;
break;
}
(void) sprintf(errstr,
gettext("Session error no available conn.\n"),
state);
err = strdup(errstr);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err,
NULL);
cookie->err_rc = NS_LDAP_INTERNAL;
cookie->errorp = *errorp;
cookie->new_state = EXIT;
break;
case NEXT_SEARCH:
/* setup referrals search if necessary */
if (cookie->refpos) {
if (setup_referral_search(cookie) < 0) {
cookie->new_state = EXIT;
break;
}
} else if (setup_next_search(cookie) < 0) {
cookie->new_state = EXIT;
break;
}
/* only do VLV/PAGE on scopes onelevel/subtree */
if (paging_supported(cookie)) {
if (cookie->use_paging &&
(cookie->scope != LDAP_SCOPE_BASE)) {
cookie->index = 1;
if (cookie->listType == VLVCTRLFLAG)
cookie->new_state = NEXT_VLV;
else
cookie->new_state = NEXT_PAGE;
break;
}
}
cookie->new_state = ONE_SEARCH;
break;
case NEXT_VLV:
rc = setup_vlv_params(cookie);
if (rc != LDAP_SUCCESS) {
cookie->err_rc = rc;
cookie->new_state = LDAP_ERROR;
break;
}
cookie->next_state = MULTI_RESULT;
cookie->new_state = DO_SEARCH;
break;
case NEXT_PAGE:
rc = setup_simplepg_params(cookie);
if (rc != LDAP_SUCCESS) {
cookie->err_rc = rc;
cookie->new_state = LDAP_ERROR;
break;
}
cookie->next_state = MULTI_RESULT;
cookie->new_state = DO_SEARCH;
break;
case ONE_SEARCH:
cookie->next_state = NEXT_RESULT;
cookie->new_state = DO_SEARCH;
break;
case DO_SEARCH:
rc = ldap_search_ext(cookie->conn->ld,
cookie->basedn,
cookie->scope,
cookie->filter,
cookie->attribute,
0,
cookie->p_serverctrls,
NULL,
&cookie->search_timeout, 0,
&cookie->msgId);
if (rc != LDAP_SUCCESS) {
if (rc == LDAP_BUSY ||
rc == LDAP_UNAVAILABLE ||
rc == LDAP_UNWILLING_TO_PERFORM ||
rc == LDAP_CONNECT_ERROR ||
rc == LDAP_SERVER_DOWN) {
if (cookie->reinit_on_retriable_err) {
cookie->err_rc = rc;
cookie->new_state = REINIT;
} else
cookie->new_state =
NEXT_SESSION;
/*
* If not able to reach the
* server, inform the ldap
* cache manager that the
* server should be removed
* from it's server list.
* Thus, the manager will not
* return this server on the next
* get-server request and will
* also reduce the server list
* refresh TTL, so that it will
* find out sooner when the server
* is up again.
*/
if ((rc == LDAP_CONNECT_ERROR ||
rc == LDAP_SERVER_DOWN) &&
(cookie->conn_user == NULL ||
cookie->conn_user->conn_mt ==
NULL)) {
ret = __s_api_removeServer(
cookie->conn->serverAddr);
if (ret == NS_CACHE_NOSERVER &&
cookie->conn_auth_type
== NS_LDAP_AUTH_NONE) {
/*
* Couldn't remove
* server from server
* list.
* Exit to avoid
* potential infinite
* loop.
*/
cookie->err_rc = rc;
cookie->new_state =
LDAP_ERROR;
}
if (cookie->connectionId > -1) {
/*
* NS_LDAP_NEW_CONN
* indicates that the
* connection should
* be deleted, not
* kept alive
*/
DropConnection(
cookie->
connectionId,
NS_LDAP_NEW_CONN);
cookie->connectionId =
-1;
}
} else if ((rc == LDAP_CONNECT_ERROR ||
rc == LDAP_SERVER_DOWN) &&
cookie->conn_user != NULL) {
if (cookie->
reinit_on_retriable_err) {
/*
* MT connection not
* usable, close it
* before REINIT.
* rc has already
* been saved in
* cookie->err_rc above.
*/
__s_api_conn_mt_close(
cookie->conn_user,
rc,
&cookie->errorp);
} else {
/*
* MT connection not
* usable, close it in
* the LDAP_ERROR state.
* A retry will be done
* next if allowed.
*/
cookie->err_rc = rc;
cookie->new_state =
LDAP_ERROR;
}
}
break;
}
cookie->err_rc = rc;
cookie->new_state = LDAP_ERROR;
break;
}
cookie->new_state = cookie->next_state;
break;
case NEXT_RESULT:
/*
* Caller (e.g. __ns_ldap_list_batch_add)
* does not want to block on ldap_result().
* Therefore we execute ldap_result() with
* a zeroed timeval.
*/
if (cookie->no_wait == B_TRUE)
(void) memset(&tv, 0, sizeof (tv));
else
tv = cookie->search_timeout;
rc = ldap_result(cookie->conn->ld, cookie->msgId,
LDAP_MSG_ONE,
&tv,
&cookie->resultMsg);
if (rc == LDAP_RES_SEARCH_RESULT) {
cookie->new_state = END_RESULT;
/* check and process referrals info */
if (cookie->followRef)
proc_result_referrals(
cookie);
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
break;
}
/* handle referrals if necessary */
if (rc == LDAP_RES_SEARCH_REFERENCE) {
if (cookie->followRef)
proc_search_references(cookie);
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
break;
}
if (rc != LDAP_RES_SEARCH_ENTRY) {
switch (rc) {
case 0:
if (cookie->no_wait == B_TRUE) {
(void) ldap_msgfree(
cookie->resultMsg);
cookie->resultMsg = NULL;
return (cookie->new_state);
}
rc = LDAP_TIMEOUT;
break;
case -1:
rc = ldap_get_lderrno(cookie->conn->ld,
NULL, NULL);
break;
default:
rc = ldap_result2error(cookie->conn->ld,
cookie->resultMsg, 1);
break;
}
if ((rc == LDAP_TIMEOUT ||
rc == LDAP_SERVER_DOWN) &&
(cookie->conn_user == NULL ||
cookie->conn_user->conn_mt == NULL)) {
if (rc == LDAP_TIMEOUT)
(void) __s_api_removeServer(
cookie->conn->serverAddr);
if (cookie->connectionId > -1) {
DropConnection(
cookie->connectionId,
NS_LDAP_NEW_CONN);
cookie->connectionId = -1;
}
cookie->err_from_result = 1;
}
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
if (rc == LDAP_BUSY ||
rc == LDAP_UNAVAILABLE ||
rc == LDAP_UNWILLING_TO_PERFORM) {
if (cookie->reinit_on_retriable_err) {
cookie->err_rc = rc;
cookie->err_from_result = 1;
cookie->new_state = REINIT;
} else
cookie->new_state =
NEXT_SESSION;
break;
}
if ((rc == LDAP_CONNECT_ERROR ||
rc == LDAP_SERVER_DOWN) &&
cookie->reinit_on_retriable_err) {
ns_ldap_error_t *errorp = NULL;
cookie->err_rc = rc;
cookie->err_from_result = 1;
cookie->new_state = REINIT;
if (cookie->conn_user != NULL)
__s_api_conn_mt_close(
cookie->conn_user,
rc, &errorp);
if (errorp != NULL) {
(void) __ns_ldap_freeError(
&cookie->errorp);
cookie->errorp = errorp;
}
break;
}
cookie->err_rc = rc;
cookie->new_state = LDAP_ERROR;
break;
}
/* else LDAP_RES_SEARCH_ENTRY */
/* get account management response control */
if (cookie->nopasswd_acct_mgmt == 1) {
rc = ldap_get_entry_controls(cookie->conn->ld,
cookie->resultMsg,
&(cookie->resultctrl));
if (rc != LDAP_SUCCESS) {
cookie->new_state = LDAP_ERROR;
cookie->err_rc = rc;
break;
}
}
rc = __s_api_getEntry(cookie);
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
if (rc != NS_LDAP_SUCCESS) {
cookie->new_state = LDAP_ERROR;
break;
}
cookie->new_state = PROCESS_RESULT;
cookie->next_state = NEXT_RESULT;
break;
case MULTI_RESULT:
if (cookie->no_wait == B_TRUE)
(void) memset(&tv, 0, sizeof (tv));
else
tv = cookie->search_timeout;
rc = ldap_result(cookie->conn->ld, cookie->msgId,
LDAP_MSG_ONE,
&tv,
&cookie->resultMsg);
if (rc == LDAP_RES_SEARCH_RESULT) {
rc = ldap_result2error(cookie->conn->ld,
cookie->resultMsg, 0);
if (rc != LDAP_SUCCESS) {
cookie->err_rc = rc;
cookie->new_state = LDAP_ERROR;
(void) ldap_msgfree(cookie->resultMsg);
break;
}
cookie->new_state = multi_result(cookie);
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
break;
}
/* handle referrals if necessary */
if (rc == LDAP_RES_SEARCH_REFERENCE &&
cookie->followRef) {
proc_search_references(cookie);
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
break;
}
if (rc != LDAP_RES_SEARCH_ENTRY) {
switch (rc) {
case 0:
if (cookie->no_wait == B_TRUE) {
(void) ldap_msgfree(
cookie->resultMsg);
cookie->resultMsg = NULL;
return (cookie->new_state);
}
rc = LDAP_TIMEOUT;
break;
case -1:
rc = ldap_get_lderrno(cookie->conn->ld,
NULL, NULL);
break;
default:
rc = ldap_result2error(cookie->conn->ld,
cookie->resultMsg, 1);
break;
}
if ((rc == LDAP_TIMEOUT ||
rc == LDAP_SERVER_DOWN) &&
(cookie->conn_user == NULL ||
cookie->conn_user->conn_mt == NULL)) {
if (rc == LDAP_TIMEOUT)
(void) __s_api_removeServer(
cookie->conn->serverAddr);
if (cookie->connectionId > -1) {
DropConnection(
cookie->connectionId,
NS_LDAP_NEW_CONN);
cookie->connectionId = -1;
}
cookie->err_from_result = 1;
}
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
if (rc == LDAP_BUSY ||
rc == LDAP_UNAVAILABLE ||
rc == LDAP_UNWILLING_TO_PERFORM) {
if (cookie->reinit_on_retriable_err) {
cookie->err_rc = rc;
cookie->err_from_result = 1;
cookie->new_state = REINIT;
} else
cookie->new_state =
NEXT_SESSION;
break;
}
if ((rc == LDAP_CONNECT_ERROR ||
rc == LDAP_SERVER_DOWN) &&
cookie->reinit_on_retriable_err) {
ns_ldap_error_t *errorp = NULL;
cookie->err_rc = rc;
cookie->err_from_result = 1;
cookie->new_state = REINIT;
if (cookie->conn_user != NULL)
__s_api_conn_mt_close(
cookie->conn_user,
rc, &errorp);
if (errorp != NULL) {
(void) __ns_ldap_freeError(
&cookie->errorp);
cookie->errorp = errorp;
}
break;
}
cookie->err_rc = rc;
cookie->new_state = LDAP_ERROR;
break;
}
/* else LDAP_RES_SEARCH_ENTRY */
rc = __s_api_getEntry(cookie);
(void) ldap_msgfree(cookie->resultMsg);
cookie->resultMsg = NULL;
if (rc != NS_LDAP_SUCCESS) {
cookie->new_state = LDAP_ERROR;
break;
}
cookie->new_state = PROCESS_RESULT;
cookie->next_state = MULTI_RESULT;
break;
case PROCESS_RESULT:
/* NOTE THIS STATE MAY BE PROCESSED BY CALLER */
if (cookie->use_usercb && cookie->callback) {
rc = 0;
for (nextEntry = cookie->result->entry;
nextEntry != NULL;
nextEntry = nextEntry->next) {
rc = (*cookie->callback)(nextEntry,
cookie->userdata);
if (rc == NS_LDAP_CB_DONE) {
/* cb doesn't want any more data */
rc = NS_LDAP_PARTIAL;
cookie->err_rc = rc;
break;
} else if (rc != NS_LDAP_CB_NEXT) {
/* invalid return code */
rc = NS_LDAP_OP_FAILED;
cookie->err_rc = rc;
break;
}
}
(void) __ns_ldap_freeResult(&cookie->result);
cookie->result = NULL;
}
if (rc != 0) {
cookie->new_state = EXIT;
break;
}
/* NOTE PREVIOUS STATE SPECIFIES NEXT STATE */
cookie->new_state = cookie->next_state;
break;
case END_PROCESS_RESULT:
cookie->new_state = cookie->next_state;
break;
case END_RESULT:
/*
* XXX DO WE NEED THIS CASE?
* if (search is complete) {
* cookie->new_state = EXIT;
* } else
*/
/*
* entering referral mode if necessary
*/
if (cookie->followRef && cookie->reflist)
cookie->new_state =
NEXT_REFERRAL;
else
cookie->new_state =
NEXT_SEARCH_DESCRIPTOR;
break;
case NEXT_REFERRAL:
/* get next referral info */
if (cookie->refpos == NULL)
cookie->refpos =
cookie->reflist;
else
cookie->refpos =
cookie->refpos->next;
/* check see if done with all referrals */
if (cookie->refpos != NULL)
cookie->new_state =
GET_REFERRAL_SESSION;
else {
__s_api_deleteRefInfo(cookie->reflist);
cookie->reflist = NULL;
cookie->new_state =
NEXT_SEARCH_DESCRIPTOR;
if (cookie->conn_user != NULL)
cookie->conn_user->referral = B_FALSE;
}
break;
case GET_REFERRAL_SESSION:
if (get_referral_session(cookie) < 0)
cookie->new_state = EXIT;
else {
cookie->new_state = NEXT_SEARCH;
}
break;
case LDAP_ERROR:
rc_save = cookie->err_rc;
if (cookie->err_from_result) {
if (cookie->err_rc == LDAP_SERVER_DOWN) {
(void) sprintf(errstr,
gettext("LDAP ERROR (%d): "
"Error occurred during"
" receiving results. "
"Connection to server lost."),
cookie->err_rc);
} else if (cookie->err_rc == LDAP_TIMEOUT) {
(void) sprintf(errstr,
gettext("LDAP ERROR (%d): "
"Error occurred during"
" receiving results. %s"
"."), cookie->err_rc,
ldap_err2string(
cookie->err_rc));
}
} else
(void) sprintf(errstr,
gettext("LDAP ERROR (%d): %s."),
cookie->err_rc,
ldap_err2string(cookie->err_rc));
err = strdup(errstr);
if (cookie->err_from_result) {
if (cookie->err_rc == LDAP_SERVER_DOWN) {
MKERROR(LOG_INFO, *errorp,
cookie->err_rc, err, NULL);
} else {
MKERROR(LOG_WARNING, *errorp,
cookie->err_rc, err, NULL);
}
} else {
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
err, NULL);
}
cookie->err_rc = NS_LDAP_INTERNAL;
cookie->errorp = *errorp;
if (cookie->conn_user != NULL) {
if (rc_save == LDAP_SERVER_DOWN ||
rc_save == LDAP_CONNECT_ERROR) {
/*
* MT connection is not usable,
* close it.
*/
__s_api_conn_mt_close(cookie->conn_user,
rc_save, &cookie->errorp);
return (ERROR);
}
}
return (ERROR);
default:
case ERROR:
(void) sprintf(errstr,
gettext("Internal State machine exit (%d).\n"),
cookie->state);
err = strdup(errstr);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err,
NULL);
cookie->err_rc = NS_LDAP_INTERNAL;
cookie->errorp = *errorp;
return (ERROR);
}
if (cookie->conn_user != NULL &&
cookie->conn_user->bad_mt_conn == B_TRUE) {
__s_api_conn_mt_close(cookie->conn_user, 0, NULL);
cookie->err_rc = cookie->conn_user->ns_rc;
cookie->errorp = cookie->conn_user->ns_error;
cookie->conn_user->ns_error = NULL;
return (ERROR);
}
if (cycle == ONE_STEP) {
return (cookie->new_state);
}
cookie->state = cookie->new_state;
}
/*NOTREACHED*/
#if 0
(void) sprintf(errstr,
gettext("Unexpected State machine error.\n"));
err = strdup(errstr);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err, NULL);
cookie->err_rc = NS_LDAP_INTERNAL;
cookie->errorp = *errorp;
return (ERROR);
#endif
}
/*
* For a lookup of shadow data, if shadow update is enabled,
* check the calling process' privilege to ensure it's
* allowed to perform such operation.
*/
static int
check_shadow(ns_ldap_cookie_t *cookie, const char *service)
{
char errstr[MAXERROR];
char *err;
boolean_t priv;
/* caller */
priv_set_t *ps;
/* zone */
priv_set_t *zs;
/*
* If service is "shadow", we may need
* to use privilege credentials.
*/
if ((strcmp(service, "shadow") == 0) &&
__ns_ldap_is_shadow_update_enabled()) {
/*
* Since we release admin credentials after
* connection is closed and we do not cache
* them, we allow any root or all zone
* privilege process to read shadow data.
*/
priv = (geteuid() == 0);
if (!priv) {
/* caller */
ps = priv_allocset();
(void) getppriv(PRIV_EFFECTIVE, ps);
zs = priv_str_to_set("zone", ",", NULL);
priv = priv_isequalset(ps, zs);
priv_freeset(ps);
priv_freeset(zs);
}
if (!priv) {
(void) sprintf(errstr,
gettext("Permission denied"));
err = strdup(errstr);
if (err == NULL)
return (NS_LDAP_MEMORY);
MKERROR(LOG_INFO, cookie->errorp, NS_LDAP_INTERNAL, err,
NULL);
return (NS_LDAP_INTERNAL);
}
cookie->i_flags |= NS_LDAP_READ_SHADOW;
/*
* We do not want to reuse connection (hence
* keep it open) with admin credentials.
* If NS_LDAP_KEEP_CONN is set, reject the
* request.
*/
if (cookie->i_flags & NS_LDAP_KEEP_CONN)
return (NS_LDAP_INVALID_PARAM);
cookie->i_flags |= NS_LDAP_NEW_CONN;
}
return (NS_LDAP_SUCCESS);
}
/*
* internal function for __ns_ldap_list
*/
static int
ldap_list(
ns_ldap_list_batch_t *batch,
const char *service,
const char *filter,
int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
char **realfilter, const void *userdata),
const char * const *attribute,
const ns_cred_t *auth,
const int flags,
ns_ldap_result_t **rResult, /* return result entries */
ns_ldap_error_t **errorp,
int *rcp,
int (*callback)(const ns_ldap_entry_t *entry, const void *userdata),
const void *userdata, ns_conn_user_t *conn_user)
{
ns_ldap_cookie_t *cookie;
ns_ldap_search_desc_t **sdlist = NULL;
ns_ldap_search_desc_t *dptr;
ns_ldap_error_t *error = NULL;
char **dns = NULL;
int scope;
int rc;
int from_result;
*errorp = NULL;
*rResult = NULL;
*rcp = NS_LDAP_SUCCESS;
/*
* Sanity check - NS_LDAP_READ_SHADOW is for our
* own internal use.
*/
if (flags & NS_LDAP_READ_SHADOW)
return (NS_LDAP_INVALID_PARAM);
/* Initialize State machine cookie */
cookie = init_search_state_machine();
if (cookie == NULL) {
*rcp = NS_LDAP_MEMORY;
return (NS_LDAP_MEMORY);
}
cookie->conn_user = conn_user;
/* see if need to follow referrals */
rc = __s_api_toFollowReferrals(flags,
&cookie->followRef, errorp);
if (rc != NS_LDAP_SUCCESS) {
delete_search_cookie(cookie);
*rcp = rc;
return (rc);
}
/* get the service descriptor - or create a default one */
rc = __s_api_get_SSD_from_SSDtoUse_service(service,
&sdlist, errorp);
if (rc != NS_LDAP_SUCCESS) {
delete_search_cookie(cookie);
*errorp = error;
*rcp = rc;
return (rc);
}
if (sdlist == NULL) {
/* Create default service Desc */
sdlist = (ns_ldap_search_desc_t **)calloc(2,
sizeof (ns_ldap_search_desc_t *));
if (sdlist == NULL) {
delete_search_cookie(cookie);
cookie = NULL;
*rcp = NS_LDAP_MEMORY;
return (NS_LDAP_MEMORY);
}
dptr = (ns_ldap_search_desc_t *)
calloc(1, sizeof (ns_ldap_search_desc_t));
if (dptr == NULL) {
free(sdlist);
delete_search_cookie(cookie);
cookie = NULL;
*rcp = NS_LDAP_MEMORY;
return (NS_LDAP_MEMORY);
}
sdlist[0] = dptr;
/* default base */
rc = __s_api_getDNs(&dns, service, &cookie->errorp);
if (rc != NS_LDAP_SUCCESS) {
if (dns) {
__s_api_free2dArray(dns);
dns = NULL;
}
*errorp = cookie->errorp;
cookie->errorp = NULL;
delete_search_cookie(cookie);
cookie = NULL;
*rcp = rc;
return (rc);
}
dptr->basedn = strdup(dns[0]);
__s_api_free2dArray(dns);
dns = NULL;
/* default scope */
scope = 0;
rc = __s_api_getSearchScope(&scope, &cookie->errorp);
dptr->scope = scope;
}
cookie->sdlist = sdlist;
/*
* use VLV/PAGE control only if NS_LDAP_PAGE_CTRL is set
*/
if (flags & NS_LDAP_PAGE_CTRL)
cookie->use_paging = TRUE;
else
cookie->use_paging = FALSE;
/* Set up other arguments */
cookie->userdata = userdata;
if (init_filter_cb != NULL) {
cookie->init_filter_cb = init_filter_cb;
cookie->use_filtercb = 1;
}
if (callback != NULL) {
cookie->callback = callback;
cookie->use_usercb = 1;
}
/* check_shadow() may add extra value to cookie->i_flags */
cookie->i_flags = flags;
if (service) {
cookie->service = strdup(service);
if (cookie->service == NULL) {
delete_search_cookie(cookie);
cookie = NULL;
*rcp = NS_LDAP_MEMORY;
return (NS_LDAP_MEMORY);
}
/*
* If given, use the credential given by the caller, and
* skip the credential check required for shadow update.
*/
if (auth == NULL) {
rc = check_shadow(cookie, service);
if (rc != NS_LDAP_SUCCESS) {
*errorp = cookie->errorp;
cookie->errorp = NULL;
delete_search_cookie(cookie);
cookie = NULL;
*rcp = rc;
return (rc);
}
}
}
cookie->i_filter = strdup(filter);
cookie->i_attr = attribute;
cookie->i_auth = auth;
if (batch != NULL) {
cookie->batch = batch;
cookie->reinit_on_retriable_err = B_TRUE;
cookie->no_wait = B_TRUE;
(void) search_state_machine(cookie, INIT, 0);
cookie->no_wait = B_FALSE;
rc = cookie->err_rc;
if (rc == NS_LDAP_SUCCESS) {
/*
* Here rc == NS_LDAP_SUCCESS means that the state
* machine init'ed successfully. The actual status
* of the search will be determined by
* __ns_ldap_list_batch_end(). Add the cookie to our
* batch.
*/
cookie->caller_result = rResult;
cookie->caller_errorp = errorp;
cookie->caller_rc = rcp;
cookie->next_cookie_in_batch = batch->cookie_list;
batch->cookie_list = cookie;
batch->nactive++;
return (rc);
}
/*
* If state machine init failed then copy error to the caller
* and delete the cookie.
*/
} else {
(void) search_state_machine(cookie, INIT, 0);
}
/* Copy results back to user */
rc = cookie->err_rc;
if (rc != NS_LDAP_SUCCESS) {
if (conn_user != NULL && conn_user->ns_error != NULL) {
*errorp = conn_user->ns_error;
conn_user->ns_error = NULL;
} else
*errorp = cookie->errorp;
}
*rResult = cookie->result;
from_result = cookie->err_from_result;
cookie->errorp = NULL;
cookie->result = NULL;
delete_search_cookie(cookie);
cookie = NULL;
if (from_result == 0 && *rResult == NULL)
rc = NS_LDAP_NOTFOUND;
*rcp = rc;
return (rc);
}
/*
* __ns_ldap_list performs one or more LDAP searches to a given
* directory server using service search descriptors and schema
* mapping as appropriate. The operation may be retried a
* couple of times in error situations.
*/
int
__ns_ldap_list(
const char *service,
const char *filter,
int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
char **realfilter, const void *userdata),
const char * const *attribute,
const ns_cred_t *auth,
const int flags,
ns_ldap_result_t **rResult, /* return result entries */
ns_ldap_error_t **errorp,
int (*callback)(const ns_ldap_entry_t *entry, const void *userdata),
const void *userdata)
{
ns_conn_user_t *cu = NULL;
int try_cnt = 0;
int rc = NS_LDAP_SUCCESS, trc;
for (;;) {
if (__s_api_setup_retry_search(&cu, NS_CONN_USER_SEARCH,
&try_cnt, &rc, errorp) == 0)
break;
rc = ldap_list(NULL, service, filter, init_filter_cb, attribute,
auth, flags, rResult, errorp, &trc, callback, userdata, cu);
}
return (rc);
}
/*
* Create and initialize batch for native LDAP lookups
*/
int
__ns_ldap_list_batch_start(ns_ldap_list_batch_t **batch)
{
*batch = calloc(1, sizeof (ns_ldap_list_batch_t));
if (*batch == NULL)
return (NS_LDAP_MEMORY);
return (NS_LDAP_SUCCESS);
}
/*
* Add a LDAP search request to the batch.
*/
int
__ns_ldap_list_batch_add(
ns_ldap_list_batch_t *batch,
const char *service,
const char *filter,
int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
char **realfilter, const void *userdata),
const char * const *attribute,
const ns_cred_t *auth,
const int flags,
ns_ldap_result_t **rResult, /* return result entries */
ns_ldap_error_t **errorp,
int *rcp,
int (*callback)(const ns_ldap_entry_t *entry, const void *userdata),
const void *userdata)
{
ns_conn_user_t *cu;
int rc;
cu = __s_api_conn_user_init(NS_CONN_USER_SEARCH, NULL, 0);
if (cu == NULL) {
if (rcp != NULL)
*rcp = NS_LDAP_MEMORY;
return (NS_LDAP_MEMORY);
}
rc = ldap_list(batch, service, filter, init_filter_cb, attribute, auth,
flags, rResult, errorp, rcp, callback, userdata, cu);
/*
* Free the conn_user if the cookie was not batched. If the cookie
* was batched then __ns_ldap_list_batch_end or release will free the
* conn_user. The batch API instructs the search_state_machine
* to reinit and retry (max 3 times) on retriable LDAP errors.
*/
if (rc != NS_LDAP_SUCCESS && cu != NULL) {
if (cu->conn_mt != NULL)
__s_api_conn_mt_return(cu);
__s_api_conn_user_free(cu);
}
return (rc);
}
/*
* Free batch.
*/
void
__ns_ldap_list_batch_release(ns_ldap_list_batch_t *batch)
{
ns_ldap_cookie_t *c, *next;
for (c = batch->cookie_list; c != NULL; c = next) {
next = c->next_cookie_in_batch;
if (c->conn_user != NULL) {
if (c->conn_user->conn_mt != NULL)
__s_api_conn_mt_return(c->conn_user);
__s_api_conn_user_free(c->conn_user);
c->conn_user = NULL;
}
delete_search_cookie(c);
}
free(batch);
}
#define LD_USING_STATE(st) \
((st == DO_SEARCH) || (st == MULTI_RESULT) || (st == NEXT_RESULT))
/*
* Process batch. Everytime this function is called it selects an
* active cookie from the batch and single steps through the
* search_state_machine for the selected cookie. If lookup associated
* with the cookie is complete (success or error) then the cookie is
* removed from the batch and its memory freed.
*
* Returns 1 (if batch still has active cookies)
* 0 (if batch has no more active cookies)
* -1 (on errors, *rcp will contain the error code)
*
* The caller should call this function in a loop as long as it returns 1
* to process all the requests added to the batch. The results (and errors)
* will be available in the locations provided by the caller at the time of
* __ns_ldap_list_batch_add().
*/
static
int
__ns_ldap_list_batch_process(ns_ldap_list_batch_t *batch, int *rcp)
{
ns_ldap_cookie_t *c, *ptr, **prev;
ns_state_t state;
ns_ldap_error_t *errorp = NULL;
int rc;
/* Check if are already done */
if (batch->nactive == 0)
return (0);
/* Get the next cookie from the batch */
c = (batch->next_cookie == NULL) ?
batch->cookie_list : batch->next_cookie;
batch->next_cookie = c->next_cookie_in_batch;
/*
* Checks the status of the cookie's connection if it needs
* to use that connection for ldap_search_ext or ldap_result.
* If the connection is no longer good but worth retrying
* then reinit the search_state_machine for this cookie
* starting from the first search descriptor. REINIT will
* clear any leftover results if max retries have not been
* reached and redo the search (which may also involve
* following referrals again).
*
* Note that each cookie in the batch will make this
* determination when it reaches one of the LD_USING_STATES.
*/
if (LD_USING_STATE(c->new_state) && c->conn_user != NULL) {
rc = __s_api_setup_getnext(c->conn_user, &c->err_rc, &errorp);
if (rc == LDAP_BUSY || rc == LDAP_UNAVAILABLE ||
rc == LDAP_UNWILLING_TO_PERFORM) {
if (errorp != NULL) {
(void) __ns_ldap_freeError(&c->errorp);
c->errorp = errorp;
}
c->new_state = REINIT;
} else if (rc == LDAP_CONNECT_ERROR ||
rc == LDAP_SERVER_DOWN) {
if (errorp != NULL) {
(void) __ns_ldap_freeError(&c->errorp);
c->errorp = errorp;
}
c->new_state = REINIT;
/*
* MT connection is not usable,
* close it before REINIT.
*/
__s_api_conn_mt_close(
c->conn_user, rc, NULL);
} else if (rc != NS_LDAP_SUCCESS) {
if (rcp != NULL)
*rcp = rc;
*c->caller_result = NULL;
*c->caller_errorp = errorp;
*c->caller_rc = rc;
return (-1);
}
}
for (;;) {
/* Single step through the search_state_machine */
state = search_state_machine(c, c->new_state, ONE_STEP);
switch (state) {
case LDAP_ERROR:
(void) search_state_machine(c, state, ONE_STEP);
(void) search_state_machine(c, CLEAR_RESULTS, ONE_STEP);
/* FALLTHROUGH */
case ERROR:
case EXIT:
*c->caller_result = c->result;
*c->caller_errorp = c->errorp;
*c->caller_rc =
(c->result == NULL && c->err_from_result == 0)
? NS_LDAP_NOTFOUND : c->err_rc;
c->result = NULL;
c->errorp = NULL;
/* Remove the cookie from the batch */
ptr = batch->cookie_list;
prev = &batch->cookie_list;
while (ptr != NULL) {
if (ptr == c) {
*prev = ptr->next_cookie_in_batch;
break;
}
prev = &ptr->next_cookie_in_batch;
ptr = ptr->next_cookie_in_batch;
}
/* Delete cookie and decrement active cookie count */
if (c->conn_user != NULL) {
if (c->conn_user->conn_mt != NULL)
__s_api_conn_mt_return(c->conn_user);
__s_api_conn_user_free(c->conn_user);
c->conn_user = NULL;
}
delete_search_cookie(c);
batch->nactive--;
break;
case NEXT_RESULT:
case MULTI_RESULT:
/*
* This means that search_state_machine needs to do
* another ldap_result() for the cookie in question.
* We only do at most one ldap_result() per call in
* this function and therefore we return. This allows
* the caller to process results from other cookies
* in the batch without getting tied up on just one
* cookie.
*/
break;
default:
/*
* This includes states that follow NEXT_RESULT or
* MULTI_RESULT such as PROCESS_RESULT and
* END_PROCESS_RESULT. We continue processing
* this cookie till we reach either the error, exit
* or the result states.
*/
continue;
}
break;
}
/* Return 0 if no more cookies left otherwise 1 */
return ((batch->nactive > 0) ? 1 : 0);
}
/*
* Process all the active cookies in the batch and when none
* remains finalize the batch.
*/
int
__ns_ldap_list_batch_end(ns_ldap_list_batch_t *batch)
{
int rc = NS_LDAP_SUCCESS;
while (__ns_ldap_list_batch_process(batch, &rc) > 0)
;
__ns_ldap_list_batch_release(batch);
return (rc);
}
/*
* find_domainname performs one or more LDAP searches to
* find the value of the nisdomain attribute associated with
* the input DN (with no retry).
*/
static int
find_domainname(const char *dn, char **domainname, const ns_cred_t *cred,
ns_ldap_error_t **errorp, ns_conn_user_t *conn_user)
{
ns_ldap_cookie_t *cookie;
ns_ldap_search_desc_t **sdlist;
ns_ldap_search_desc_t *dptr;
int rc;
char **value;
int flags = 0;
*domainname = NULL;
*errorp = NULL;
/* Initialize State machine cookie */
cookie = init_search_state_machine();
if (cookie == NULL) {
return (NS_LDAP_MEMORY);
}
cookie->conn_user = conn_user;
/* see if need to follow referrals */
rc = __s_api_toFollowReferrals(flags,
&cookie->followRef, errorp);
if (rc != NS_LDAP_SUCCESS) {
delete_search_cookie(cookie);
return (rc);
}
/* Create default service Desc */
sdlist = (ns_ldap_search_desc_t **)calloc(2,
sizeof (ns_ldap_search_desc_t *));
if (sdlist == NULL) {
delete_search_cookie(cookie);
cookie = NULL;
return (NS_LDAP_MEMORY);
}
dptr = (ns_ldap_search_desc_t *)
calloc(1, sizeof (ns_ldap_search_desc_t));
if (dptr == NULL) {
free(sdlist);
delete_search_cookie(cookie);
cookie = NULL;
return (NS_LDAP_MEMORY);
}
sdlist[0] = dptr;
/* search base is dn */
dptr->basedn = strdup(dn);
/* search scope is base */
dptr->scope = NS_LDAP_SCOPE_BASE;
/* search filter is "nisdomain=*" */
dptr->filter = strdup(_NIS_FILTER);
cookie->sdlist = sdlist;
cookie->i_filter = strdup(dptr->filter);
cookie->i_attr = nis_domain_attrs;
cookie->i_auth = cred;
cookie->i_flags = 0;
/* Process search */
rc = search_state_machine(cookie, INIT, 0);
/* Copy domain name if found */
rc = cookie->err_rc;
if (rc != NS_LDAP_SUCCESS) {
if (conn_user != NULL && conn_user->ns_error != NULL) {
*errorp = conn_user->ns_error;
conn_user->ns_error = NULL;
} else
*errorp = cookie->errorp;
}
if (cookie->result == NULL)
rc = NS_LDAP_NOTFOUND;
if (rc == NS_LDAP_SUCCESS) {
value = __ns_ldap_getAttr(cookie->result->entry,
_NIS_DOMAIN);
if (value[0])
*domainname = strdup(value[0]);
else
rc = NS_LDAP_NOTFOUND;
}
if (cookie->result != NULL)
(void) __ns_ldap_freeResult(&cookie->result);
cookie->errorp = NULL;
delete_search_cookie(cookie);
cookie = NULL;
return (rc);
}
/*
* __s_api_find_domainname performs one or more LDAP searches to
* find the value of the nisdomain attribute associated with
* the input DN (with retry).
*/
static int
__s_api_find_domainname(const char *dn, char **domainname,
const ns_cred_t *cred, ns_ldap_error_t **errorp)
{
ns_conn_user_t *cu = NULL;
int try_cnt = 0;
int rc = NS_LDAP_SUCCESS;
for (;;) {
if (__s_api_setup_retry_search(&cu, NS_CONN_USER_SEARCH,
&try_cnt, &rc, errorp) == 0)
break;
rc = find_domainname(dn, domainname, cred, errorp, cu);
}
return (rc);
}
static int
firstEntry(
const char *service,
const char *filter,
int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
char **realfilter, const void *userdata),
const char * const *attribute,
const ns_cred_t *auth,
const int flags,
void **vcookie,
ns_ldap_result_t **result,
ns_ldap_error_t ** errorp,
const void *userdata,
ns_conn_user_t *conn_user)
{
ns_ldap_cookie_t *cookie = NULL;
ns_ldap_error_t *error = NULL;
ns_state_t state;
ns_ldap_search_desc_t **sdlist;
ns_ldap_search_desc_t *dptr;
char **dns = NULL;
int scope;
int rc;
*errorp = NULL;
*result = NULL;
/*
* Sanity check - NS_LDAP_READ_SHADOW is for our
* own internal use.
*/
if (flags & NS_LDAP_READ_SHADOW)
return (NS_LDAP_INVALID_PARAM);
/* get the service descriptor - or create a default one */
rc = __s_api_get_SSD_from_SSDtoUse_service(service,
&sdlist, errorp);
if (rc != NS_LDAP_SUCCESS) {
*errorp = error;
return (rc);
}
if (sdlist == NULL) {
/* Create default service Desc */
sdlist = (ns_ldap_search_desc_t **)calloc(2,
sizeof (ns_ldap_search_desc_t *));
if (sdlist == NULL) {
return (NS_LDAP_MEMORY);
}
dptr = (ns_ldap_search_desc_t *)
calloc(1, sizeof (ns_ldap_search_desc_t));
if (dptr == NULL) {
free(sdlist);
return (NS_LDAP_MEMORY);
}
sdlist[0] = dptr;
/* default base */
rc = __s_api_getDNs(&dns, service, &error);
if (rc != NS_LDAP_SUCCESS) {
if (dns) {
__s_api_free2dArray(dns);
dns = NULL;
}
if (sdlist) {
(void) __ns_ldap_freeSearchDescriptors(
&sdlist);
sdlist = NULL;
}
*errorp = error;
return (rc);
}
dptr->basedn = strdup(dns[0]);
__s_api_free2dArray(dns);
dns = NULL;
/* default scope */
scope = 0;
cookie = init_search_state_machine();
if (cookie == NULL) {
if (sdlist) {
(void) __ns_ldap_freeSearchDescriptors(&sdlist);
sdlist = NULL;
}
return (NS_LDAP_MEMORY);
}
rc = __s_api_getSearchScope(&scope, &cookie->errorp);
dptr->scope = scope;
}
/* Initialize State machine cookie */
if (cookie == NULL)
cookie = init_search_state_machine();
if (cookie == NULL) {
if (sdlist) {
(void) __ns_ldap_freeSearchDescriptors(&sdlist);
sdlist = NULL;
}
return (NS_LDAP_MEMORY);
}
/* identify self as a getent user */
cookie->conn_user = conn_user;
cookie->sdlist = sdlist;
/* see if need to follow referrals */
rc = __s_api_toFollowReferrals(flags,
&cookie->followRef, errorp);
if (rc != NS_LDAP_SUCCESS) {
delete_search_cookie(cookie);
return (rc);
}
/*
* use VLV/PAGE control only if NS_LDAP_NO_PAGE_CTRL is not set
*/
if (flags & NS_LDAP_NO_PAGE_CTRL)
cookie->use_paging = FALSE;
else
cookie->use_paging = TRUE;
/* Set up other arguments */
cookie->userdata = userdata;
if (init_filter_cb != NULL) {
cookie->init_filter_cb = init_filter_cb;
cookie->use_filtercb = 1;
}
cookie->use_usercb = 0;
/* check_shadow() may add extra value to cookie->i_flags */
cookie->i_flags = flags;
if (service) {
cookie->service = strdup(service);
if (cookie->service == NULL) {
delete_search_cookie(cookie);
return (NS_LDAP_MEMORY);
}
/*
* If given, use the credential given by the caller, and
* skip the credential check required for shadow update.
*/
if (auth == NULL) {
rc = check_shadow(cookie, service);
if (rc != NS_LDAP_SUCCESS) {
*errorp = cookie->errorp;
cookie->errorp = NULL;
delete_search_cookie(cookie);
cookie = NULL;
return (rc);
}
}
}
cookie->i_filter = strdup(filter);
cookie->i_attr = attribute;
cookie->i_auth = auth;
state = INIT;
for (;;) {
state = search_state_machine(cookie, state, ONE_STEP);
switch (state) {
case PROCESS_RESULT:
*result = cookie->result;
cookie->result = NULL;
*vcookie = (void *)cookie;
return (NS_LDAP_SUCCESS);
case LDAP_ERROR:
state = search_state_machine(cookie, state, ONE_STEP);
state = search_state_machine(cookie, CLEAR_RESULTS,
ONE_STEP);
/* FALLTHROUGH */
case ERROR:
rc = cookie->err_rc;
if (conn_user != NULL && conn_user->ns_error != NULL) {
*errorp = conn_user->ns_error;
conn_user->ns_error = NULL;
} else {
*errorp = cookie->errorp;
cookie->errorp = NULL;
}
delete_search_cookie(cookie);
return (rc);
case EXIT:
rc = cookie->err_rc;
if (rc != NS_LDAP_SUCCESS) {
*errorp = cookie->errorp;
cookie->errorp = NULL;
} else {
rc = NS_LDAP_NOTFOUND;
}
delete_search_cookie(cookie);
return (rc);
default:
break;
}
}
}
int
__ns_ldap_firstEntry(
const char *service,
const char *filter,
int (*init_filter_cb)(const ns_ldap_search_desc_t *desc,
char **realfilter, const void *userdata),
const char * const *attribute,
const ns_cred_t *auth,
const int flags,
void **vcookie,
ns_ldap_result_t **result,
ns_ldap_error_t ** errorp,
const void *userdata)
{
ns_conn_user_t *cu = NULL;
int try_cnt = 0;
int rc = NS_LDAP_SUCCESS;
for (;;) {
if (__s_api_setup_retry_search(&cu, NS_CONN_USER_GETENT,
&try_cnt, &rc, errorp) == 0)
break;
rc = firstEntry(service, filter, init_filter_cb, attribute,
auth, flags, vcookie, result, errorp, userdata, cu);
}
return (rc);
}
/*ARGSUSED2*/
int
__ns_ldap_nextEntry(void *vcookie, ns_ldap_result_t **result,
ns_ldap_error_t ** errorp)
{
ns_ldap_cookie_t *cookie;
ns_state_t state;
int rc;
cookie = (ns_ldap_cookie_t *)vcookie;
cookie->result = NULL;
*result = NULL;
if (cookie->conn_user != NULL) {
rc = __s_api_setup_getnext(cookie->conn_user,
&cookie->err_rc, errorp);
if (rc != NS_LDAP_SUCCESS)
return (rc);
}
state = END_PROCESS_RESULT;
for (;;) {
state = search_state_machine(cookie, state, ONE_STEP);
switch (state) {
case PROCESS_RESULT:
*result = cookie->result;
cookie->result = NULL;
return (NS_LDAP_SUCCESS);
case LDAP_ERROR:
state = search_state_machine(cookie, state, ONE_STEP);
state = search_state_machine(cookie, CLEAR_RESULTS,
ONE_STEP);
/* FALLTHROUGH */
case ERROR:
rc = cookie->err_rc;
*errorp = cookie->errorp;
cookie->errorp = NULL;
return (rc);
case EXIT:
return (NS_LDAP_SUCCESS);
}
}
}
int
__ns_ldap_endEntry(
void **vcookie,
ns_ldap_error_t ** errorp)
{
ns_ldap_cookie_t *cookie;
int rc;
if (*vcookie == NULL)
return (NS_LDAP_INVALID_PARAM);
cookie = (ns_ldap_cookie_t *)(*vcookie);
cookie->result = NULL;
/* Complete search */
rc = search_state_machine(cookie, CLEAR_RESULTS, 0);
/* Copy results back to user */
rc = cookie->err_rc;
if (rc != NS_LDAP_SUCCESS)
*errorp = cookie->errorp;
cookie->errorp = NULL;
if (cookie->conn_user != NULL) {
if (cookie->conn_user->conn_mt != NULL)
__s_api_conn_mt_return(cookie->conn_user);
__s_api_conn_user_free(cookie->conn_user);
}
delete_search_cookie(cookie);
cookie = NULL;
*vcookie = NULL;
return (rc);
}
int
__ns_ldap_freeResult(ns_ldap_result_t **result)
{
ns_ldap_entry_t *curEntry = NULL;
ns_ldap_entry_t *delEntry = NULL;
int i;
ns_ldap_result_t *res = *result;
#ifdef DEBUG
(void) fprintf(stderr, "__ns_ldap_freeResult START\n");
#endif
if (res == NULL)
return (NS_LDAP_INVALID_PARAM);
if (res->entry != NULL)
curEntry = res->entry;
for (i = 0; i < res->entries_count; i++) {
if (curEntry != NULL) {
delEntry = curEntry;
curEntry = curEntry->next;
__ns_ldap_freeEntry(delEntry);
}
}
free(res);
*result = NULL;
return (NS_LDAP_SUCCESS);
}
/*ARGSUSED*/
int
__ns_ldap_auth(const ns_cred_t *auth,
const int flags,
ns_ldap_error_t **errorp,
LDAPControl **serverctrls,
LDAPControl **clientctrls)
{
ConnectionID connectionId = -1;
Connection *conp;
int rc = 0;
int do_not_fail_if_new_pwd_reqd = 0;
int nopasswd_acct_mgmt = 0;
ns_conn_user_t *conn_user;
#ifdef DEBUG
(void) fprintf(stderr, "__ns_ldap_auth START\n");
#endif
*errorp = NULL;
if (!auth)
return (NS_LDAP_INVALID_PARAM);
conn_user = __s_api_conn_user_init(NS_CONN_USER_AUTH,
NULL, B_FALSE);
rc = __s_api_getConnection(NULL, flags | NS_LDAP_NEW_CONN,
auth, &connectionId, &conp, errorp,
do_not_fail_if_new_pwd_reqd, nopasswd_acct_mgmt,
conn_user);
if (conn_user != NULL)
__s_api_conn_user_free(conn_user);
if (rc == NS_LDAP_OP_FAILED && *errorp)
(void) __ns_ldap_freeError(errorp);
if (connectionId > -1)
DropConnection(connectionId, flags);
return (rc);
}
char **
__ns_ldap_getAttr(const ns_ldap_entry_t *entry, const char *attrname)
{
int i;
if (entry == NULL)
return (NULL);
for (i = 0; i < entry->attr_count; i++) {
if (strcasecmp(entry->attr_pair[i]->attrname, attrname) == NULL)
return (entry->attr_pair[i]->attrvalue);
}
return (NULL);
}
ns_ldap_attr_t *
__ns_ldap_getAttrStruct(const ns_ldap_entry_t *entry, const char *attrname)
{
int i;
if (entry == NULL)
return (NULL);
for (i = 0; i < entry->attr_count; i++) {
if (strcasecmp(entry->attr_pair[i]->attrname, attrname) == NULL)
return (entry->attr_pair[i]);
}
return (NULL);
}
/*ARGSUSED*/
int
__ns_ldap_uid2dn(const char *uid,
char **userDN,
const ns_cred_t *cred, /* cred is ignored */
ns_ldap_error_t **errorp)
{
ns_ldap_result_t *result = NULL;
char *filter, *userdata;
char errstr[MAXERROR];
char **value;
int rc = 0;
int i = 0;
size_t len;
*errorp = NULL;
*userDN = NULL;
if ((uid == NULL) || (uid[0] == '\0'))
return (NS_LDAP_INVALID_PARAM);
while (uid[i] != '\0') {
if (uid[i] == '=') {
*userDN = strdup(uid);
return (NS_LDAP_SUCCESS);
}
i++;
}
i = 0;
while ((uid[i] != '\0') && (isdigit(uid[i])))
i++;
if (uid[i] == '\0') {
len = strlen(UIDNUMFILTER) + strlen(uid) + 1;
filter = (char *)malloc(len);
if (filter == NULL) {
*userDN = NULL;
return (NS_LDAP_MEMORY);
}
(void) snprintf(filter, len, UIDNUMFILTER, uid);
len = strlen(UIDNUMFILTER_SSD) + strlen(uid) + 1;
userdata = (char *)malloc(len);
if (userdata == NULL) {
*userDN = NULL;
return (NS_LDAP_MEMORY);
}
(void) snprintf(userdata, len, UIDNUMFILTER_SSD, uid);
} else {
len = strlen(UIDFILTER) + strlen(uid) + 1;
filter = (char *)malloc(len);
if (filter == NULL) {
*userDN = NULL;
return (NS_LDAP_MEMORY);
}
(void) snprintf(filter, len, UIDFILTER, uid);
len = strlen(UIDFILTER_SSD) + strlen(uid) + 1;
userdata = (char *)malloc(len);
if (userdata == NULL) {
*userDN = NULL;
return (NS_LDAP_MEMORY);
}
(void) snprintf(userdata, len, UIDFILTER_SSD, uid);
}
/*
* we want to retrieve the DN as it appears in LDAP
* hence the use of NS_LDAP_NOT_CVT_DN in flags
*/
rc = __ns_ldap_list("passwd", filter,
__s_api_merge_SSD_filter,
NULL, cred, NS_LDAP_NOT_CVT_DN,
&result, errorp, NULL,
userdata);
free(filter);
filter = NULL;
free(userdata);
userdata = NULL;
if (rc != NS_LDAP_SUCCESS) {
if (result) {
(void) __ns_ldap_freeResult(&result);
result = NULL;
}
return (rc);
}
if (result->entries_count > 1) {
(void) __ns_ldap_freeResult(&result);
result = NULL;
*userDN = NULL;
(void) sprintf(errstr,
gettext("Too many entries are returned for %s"), uid);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, strdup(errstr),
NULL);
return (NS_LDAP_INTERNAL);
}
value = __ns_ldap_getAttr(result->entry, "dn");
*userDN = strdup(value[0]);
(void) __ns_ldap_freeResult(&result);
result = NULL;
return (NS_LDAP_SUCCESS);
}
/*ARGSUSED*/
int
__ns_ldap_host2dn(const char *host,
const char *domain,
char **hostDN,
const ns_cred_t *cred, /* cred is ignored */
ns_ldap_error_t **errorp)
{
ns_ldap_result_t *result = NULL;
char *filter, *userdata;
char errstr[MAXERROR];
char **value;
int rc;
size_t len;
/*
* XXX
* the domain parameter needs to be used in case domain is not local, if
* this routine is to support multi domain setups, it needs lots of work...
*/
*errorp = NULL;
*hostDN = NULL;
if ((host == NULL) || (host[0] == '\0'))
return (NS_LDAP_INVALID_PARAM);
len = strlen(HOSTFILTER) + strlen(host) + 1;
filter = (char *)malloc(len);
if (filter == NULL) {
return (NS_LDAP_MEMORY);
}
(void) snprintf(filter, len, HOSTFILTER, host);
len = strlen(HOSTFILTER_SSD) + strlen(host) + 1;
userdata = (char *)malloc(len);
if (userdata == NULL) {
return (NS_LDAP_MEMORY);
}
(void) snprintf(userdata, len, HOSTFILTER_SSD, host);
/*
* we want to retrieve the DN as it appears in LDAP
* hence the use of NS_LDAP_NOT_CVT_DN in flags
*/
rc = __ns_ldap_list("hosts", filter,
__s_api_merge_SSD_filter,
NULL, cred, NS_LDAP_NOT_CVT_DN, &result,
errorp, NULL,
userdata);
free(filter);
filter = NULL;
free(userdata);
userdata = NULL;
if (rc != NS_LDAP_SUCCESS) {
if (result) {
(void) __ns_ldap_freeResult(&result);
result = NULL;
}
return (rc);
}
if (result->entries_count > 1) {
(void) __ns_ldap_freeResult(&result);
result = NULL;
*hostDN = NULL;
(void) sprintf(errstr,
gettext("Too many entries are returned for %s"), host);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, strdup(errstr),
NULL);
return (NS_LDAP_INTERNAL);
}
value = __ns_ldap_getAttr(result->entry, "dn");
*hostDN = strdup(value[0]);
(void) __ns_ldap_freeResult(&result);
result = NULL;
return (NS_LDAP_SUCCESS);
}
/*ARGSUSED*/
int
__ns_ldap_dn2domain(const char *dn,
char **domain,
const ns_cred_t *cred,
ns_ldap_error_t **errorp)
{
int rc, pnum, i, j, len = 0;
char *newdn, **rdns = NULL;
char **dns, *dn1;
*errorp = NULL;
if (domain == NULL)
return (NS_LDAP_INVALID_PARAM);
else
*domain = NULL;
if ((dn == NULL) || (dn[0] == '\0'))
return (NS_LDAP_INVALID_PARAM);
/*
* break dn into rdns
*/
dn1 = strdup(dn);
if (dn1 == NULL)
return (NS_LDAP_MEMORY);
rdns = ldap_explode_dn(dn1, 0);
free(dn1);
if (rdns == NULL || *rdns == NULL)
return (NS_LDAP_INVALID_PARAM);
for (i = 0; rdns[i]; i++)
len += strlen(rdns[i]) + 1;
pnum = i;
newdn = (char *)malloc(len + 1);
dns = (char **)calloc(pnum, sizeof (char *));
if (newdn == NULL || dns == NULL) {
if (newdn)
free(newdn);
ldap_value_free(rdns);
return (NS_LDAP_MEMORY);
}
/* construct a semi-normalized dn, newdn */
*newdn = '\0';
for (i = 0; rdns[i]; i++) {
dns[i] = newdn + strlen(newdn);
(void) strcat(newdn,
__s_api_remove_rdn_space(rdns[i]));
(void) strcat(newdn, ",");
}
/* remove the last ',' */
newdn[strlen(newdn) - 1] = '\0';
ldap_value_free(rdns);
/*
* loop and find the domain name associated with newdn,
* removing rdn one by one from left to right
*/
for (i = 0; i < pnum; i++) {
if (*errorp)
(void) __ns_ldap_freeError(errorp);
/*
* try cache manager first
*/
rc = __s_api_get_cachemgr_data(NS_CACHE_DN2DOMAIN,
dns[i], domain);
if (rc != NS_LDAP_SUCCESS) {
/*
* try ldap server second
*/
rc = __s_api_find_domainname(dns[i], domain,
cred, errorp);
} else {
/*
* skip the last one,
* since it is already cached by ldap_cachemgr
*/
i--;
}
if (rc == NS_LDAP_SUCCESS) {
if (__s_api_nscd_proc()) {
/*
* If it's nscd, ask cache manager to save the
* dn to domain mapping(s)
*/
for (j = 0; j <= i; j++) {
(void) __s_api_set_cachemgr_data(
NS_CACHE_DN2DOMAIN,
dns[j],
*domain);
}
}
break;
}
}
free(dns);
free(newdn);
if (rc != NS_LDAP_SUCCESS)
rc = NS_LDAP_NOTFOUND;
return (rc);
}
/*ARGSUSED*/
int
__ns_ldap_getServiceAuthMethods(const char *service,
ns_auth_t ***auth,
ns_ldap_error_t **errorp)
{
char errstr[MAXERROR];
int rc, i, done = 0;
int slen;
void **param;
char **sam, *srv, *send;
ns_auth_t **authpp = NULL, *ap;
int cnt, max;
ns_config_t *cfg;
ns_ldap_error_t *error = NULL;
if (errorp == NULL)
return (NS_LDAP_INVALID_PARAM);
*errorp = NULL;
if ((service == NULL) || (service[0] == '\0') ||
(auth == NULL))
return (NS_LDAP_INVALID_PARAM);
*auth = NULL;
rc = __ns_ldap_getParam(NS_LDAP_SERVICE_AUTH_METHOD_P, ¶m, &error);
if (rc != NS_LDAP_SUCCESS || param == NULL) {
*errorp = error;
return (rc);
}
sam = (char **)param;
cfg = __s_api_get_default_config();
cnt = 0;
slen = strlen(service);
for (; *sam; sam++) {
srv = *sam;
if (strncasecmp(service, srv, slen) != 0)
continue;
srv += slen;
if (*srv != COLONTOK)
continue;
send = srv;
srv++;
for (max = 1; (send = strchr(++send, SEMITOK)) != NULL;
max++) {}
authpp = (ns_auth_t **)calloc(++max, sizeof (ns_auth_t *));
if (authpp == NULL) {
(void) __ns_ldap_freeParam(¶m);
__s_api_release_config(cfg);
return (NS_LDAP_MEMORY);
}
while (!done) {
send = strchr(srv, SEMITOK);
if (send != NULL) {
*send = '\0';
send++;
}
i = __s_get_enum_value(cfg, srv, NS_LDAP_AUTH_P);
if (i == -1) {
(void) __ns_ldap_freeParam(¶m);
(void) sprintf(errstr,
gettext("Unsupported "
"serviceAuthenticationMethod: %s.\n"), srv);
MKERROR(LOG_WARNING, *errorp, NS_CONFIG_SYNTAX,
strdup(errstr), NULL);
__s_api_release_config(cfg);
return (NS_LDAP_CONFIG);
}
ap = __s_api_AuthEnumtoStruct((EnumAuthType_t)i);
if (ap == NULL) {
(void) __ns_ldap_freeParam(¶m);
__s_api_release_config(cfg);
return (NS_LDAP_MEMORY);
}
authpp[cnt++] = ap;
if (send == NULL)
done = TRUE;
else
srv = send;
}
}
*auth = authpp;
(void) __ns_ldap_freeParam(¶m);
__s_api_release_config(cfg);
return (NS_LDAP_SUCCESS);
}
/*
* This routine is called when certain scenario occurs
* e.g.
* service == auto_home
* SSD = automount: ou = mytest,
* NS_LDAP_MAPATTRIBUTE= auto_home: automountMapName=AAA
* NS_LDAP_OBJECTCLASSMAP= auto_home:automountMap=MynisMap
* NS_LDAP_OBJECTCLASSMAP= auto_home:automount=MynisObject
*
* The automountMapName is prepended implicitely but is mapped
* to AAA. So dn could appers as
* dn: AAA=auto_home,ou=bar,dc=foo,dc=com
* dn: automountKey=user_01,AAA=auto_home,ou=bar,dc=foo,dc=com
* dn: automountKey=user_02,AAA=auto_home,ou=bar,dc=foo,dc=com
* in the directory.
* This function is called to covert the mapped attr back to
* orig attr when the entries are searched and returned
*/
int
__s_api_convert_automountmapname(const char *service, char **dn,
ns_ldap_error_t **errp) {
char **mapping = NULL;
char *mapped_attr = NULL;
char *automountmapname = "automountMapName";
char *buffer = NULL;
int rc = NS_LDAP_SUCCESS;
char errstr[MAXERROR];
/*
* dn is an input/out parameter, check it first
*/
if (service == NULL || dn == NULL || *dn == NULL)
return (NS_LDAP_INVALID_PARAM);
/*
* Check to see if there is a mapped attribute for auto_xxx
*/
mapping = __ns_ldap_getMappedAttributes(service, automountmapname);
/*
* if no mapped attribute for auto_xxx, try automount
*/
if (mapping == NULL)
mapping = __ns_ldap_getMappedAttributes(
"automount", automountmapname);
/*
* if no mapped attribute is found, return SUCCESS (no op)
*/
if (mapping == NULL)
return (NS_LDAP_SUCCESS);
/*
* if the mapped attribute is found and attr is not empty,
* copy it
*/
if (mapping[0] != NULL) {
mapped_attr = strdup(mapping[0]);
__s_api_free2dArray(mapping);
if (mapped_attr == NULL) {
return (NS_LDAP_MEMORY);
}
} else {
__s_api_free2dArray(mapping);
(void) snprintf(errstr, (2 * MAXERROR),
gettext(
"Attribute nisMapName is mapped to an "
"empty string.\n"));
MKERROR(LOG_ERR, *errp, NS_CONFIG_SYNTAX,
strdup(errstr), NULL);
return (NS_LDAP_CONFIG);
}
/*
* Locate the mapped attribute in the dn
* and replace it if it exists
*/
rc = __s_api_replace_mapped_attr_in_dn(
(const char *) automountmapname, (const char *) mapped_attr,
(const char *) *dn, &buffer);
/* clean up */
free(mapped_attr);
/*
* If mapped attr is found(buffer != NULL)
* a new dn is returned
* If no mapped attribute is in dn,
* return NS_LDAP_SUCCESS (no op)
* If no memory,
* return NS_LDAP_MEMORY (no op)
*/
if (buffer != NULL) {
free(*dn);
*dn = buffer;
}
return (rc);
}
/*
* If the mapped attr is found in the dn,
* return NS_LDAP_SUCCESS and a new_dn.
* If no mapped attr is found,
* return NS_LDAP_SUCCESS and *new_dn == NULL
* If there is not enough memory,
* return NS_LDAP_MEMORY and *new_dn == NULL
*/
int
__s_api_replace_mapped_attr_in_dn(
const char *orig_attr, const char *mapped_attr,
const char *dn, char **new_dn) {
char **dnArray = NULL;
char *cur = NULL, *start = NULL;
int i = 0, found = 0;
int len = 0, orig_len = 0, mapped_len = 0;
int dn_len = 0, tmp_len = 0;
*new_dn = NULL;
/*
* seperate dn into individual componets
* e.g.
* "automountKey=user_01" , "automountMapName_test=auto_home", ...
*/
dnArray = ldap_explode_dn(dn, 0);
/*
* This will find "mapped attr=value" in dn.
* It won't find match if mapped attr appears
* in the value.
*/
for (i = 0; dnArray[i] != NULL; i++) {
/*
* This function is called when reading from
* the directory so assume each component has "=".
* Any ill formatted dn should be rejected
* before adding to the directory
*/
cur = strchr(dnArray[i], '=');
*cur = '\0';
if (strcasecmp(mapped_attr, dnArray[i]) == 0)
found = 1;
*cur = '=';
if (found) break;
}
if (!found) {
__s_api_free2dArray(dnArray);
*new_dn = NULL;
return (NS_LDAP_SUCCESS);
}
/*
* The new length is *dn length + (difference between
* orig attr and mapped attr) + 1 ;
* e.g.
* automountKey=aa,automountMapName_test=auto_home,dc=foo,dc=com
* ==>
* automountKey=aa,automountMapName=auto_home,dc=foo,dc=com
*/
mapped_len = strlen(mapped_attr);
orig_len = strlen(orig_attr);
dn_len = strlen(dn);
len = dn_len + orig_len - mapped_len + 1;
*new_dn = (char *)calloc(1, len);
if (*new_dn == NULL) {
__s_api_free2dArray(dnArray);
return (NS_LDAP_MEMORY);
}
/*
* Locate the mapped attr in the dn.
* Use dnArray[i] instead of mapped_attr
* because mapped_attr could appear in
* the value
*/
cur = strstr(dn, dnArray[i]);
__s_api_free2dArray(dnArray);
/* copy the portion before mapped attr in dn */
start = *new_dn;
tmp_len = cur - dn;
(void) memcpy((void *) start, (const void*) dn, tmp_len);
/*
* Copy the orig_attr. e.g. automountMapName
* This replaces mapped attr with orig attr
*/
start = start + (cur - dn); /* move cursor in buffer */
(void) memcpy((void *) start, (const void*) orig_attr, orig_len);
/*
* Copy the portion after mapped attr in dn
*/
cur = cur + mapped_len; /* move cursor in dn */
start = start + orig_len; /* move cursor in buffer */
(void) strcpy(start, cur);
return (NS_LDAP_SUCCESS);
}
/*
* Validate Filter functions
*/
/* ***** Start of modified libldap.so.5 filter parser ***** */
/* filter parsing routine forward references */
static int adj_filter_list(char *str);
static int adj_simple_filter(char *str);
static int unescape_filterval(char *val);
static int hexchar2int(char c);
static int adj_substring_filter(char *val);
/*
* assumes string manipulation is in-line
* and all strings are sufficient in size
* return value is the position after 'c'
*/
static char *
resync_str(char *str, char *next, char c)
{
char *ret;
ret = str + strlen(str);
*next = c;
if (ret == next)
return (ret);
(void) strcat(str, next);
return (ret);
}
static char *
find_right_paren(char *s)
{
int balance, escape;
balance = 1;
escape = 0;
while (*s && balance) {
if (escape == 0) {
if (*s == '(')
balance++;
else if (*s == ')')
balance--;
}
if (*s == '\\' && ! escape)
escape = 1;
else
escape = 0;
if (balance)
s++;
}
return (*s ? s : NULL);
}
static char *
adj_complex_filter(char *str)
{
char *next;
/*
* We have (x(filter)...) with str sitting on
* the x. We have to find the paren matching
* the one before the x and put the intervening
* filters by calling adj_filter_list().
*/
str++;
if ((next = find_right_paren(str)) == NULL)
return (NULL);
*next = '\0';
if (adj_filter_list(str) == -1)
return (NULL);
next = resync_str(str, next, ')');
next++;
return (next);
}
static int
adj_filter(char *str)
{
char *next;
int parens, balance, escape;
char *np, *cp, *dp;
parens = 0;
while (*str) {
switch (*str) {
case '(':
str++;
parens++;
switch (*str) {
case '&':
if ((str = adj_complex_filter(str)) == NULL)
return (-1);
parens--;
break;
case '|':
if ((str = adj_complex_filter(str)) == NULL)
return (-1);
parens--;
break;
case '!':
if ((str = adj_complex_filter(str)) == NULL)
return (-1);
parens--;
break;
case '(':
/* illegal ((case - generated by conversion */
/* find missing close) */
np = find_right_paren(str+1);
/* error if not found */
if (np == NULL)
return (-1);
/* remove redundant (and) */
for (dp = str, cp = str+1; cp < np; ) {
*dp++ = *cp++;
}
cp++;
while (*cp)
*dp++ = *cp++;
*dp = '\0';
/* re-start test at original ( */
parens--;
str--;
break;
default:
balance = 1;
escape = 0;
next = str;
while (*next && balance) {
if (escape == 0) {
if (*next == '(')
balance++;
else if (*next == ')')
balance--;
}
if (*next == '\\' && ! escape)
escape = 1;
else
escape = 0;
if (balance)
next++;
}
if (balance != 0)
return (-1);
*next = '\0';
if (adj_simple_filter(str) == -1) {
return (-1);
}
next = resync_str(str, next, ')');
next++;
str = next;
parens--;
break;
}
break;
case ')':
str++;
parens--;
break;
case ' ':
str++;
break;
default: /* assume it's a simple type=value filter */
next = strchr(str, '\0');
if (adj_simple_filter(str) == -1) {
return (-1);
}
str = next;
break;
}
}
return (parens ? -1 : 0);
}
/*
* Put a list of filters like this "(filter1)(filter2)..."
*/
static int
adj_filter_list(char *str)
{
char *next;
char save;
while (*str) {
while (*str && isspace(*str))
str++;
if (*str == '\0')
break;
if ((next = find_right_paren(str + 1)) == NULL)
return (-1);
save = *++next;
/* now we have "(filter)" with str pointing to it */
*next = '\0';
if (adj_filter(str) == -1)
return (-1);
next = resync_str(str, next, save);
str = next;
}
return (0);
}
/*
* is_valid_attr - returns 1 if a is a syntactically valid left-hand side
* of a filter expression, 0 otherwise. A valid string may contain only
* letters, numbers, hyphens, semi-colons, colons and periods. examples:
* cn
* cn;lang-fr
* 1.2.3.4;binary;dynamic
* mail;dynamic
* cn:dn:1.2.3.4
*
* For compatibility with older servers, we also allow underscores in
* attribute types, even through they are not allowed by the LDAPv3 RFCs.
*/
static int
is_valid_attr(char *a)
{
for (; *a; a++) {
if (!isascii(*a)) {
return (0);
} else if (!isalnum(*a)) {
switch (*a) {
case '-':
case '.':
case ';':
case ':':
case '_':
break; /* valid */
default:
return (0);
}
}
}
return (1);
}
static char *
find_star(char *s)
{
for (; *s; ++s) {
switch (*s) {
case '*':
return (s);
case '\\':
++s;
if (hexchar2int(s[0]) >= 0 && hexchar2int(s[1]) >= 0)
++s;
default:
break;
}
}
return (NULL);
}
static int
adj_simple_filter(char *str)
{
char *s, *s2, *s3, filterop;
char *value;
int ftype = 0;
int rc;
rc = -1; /* pessimistic */
if ((str = strdup(str)) == NULL) {
return (rc);
}
if ((s = strchr(str, '=')) == NULL) {
goto free_and_return;
}
value = s + 1;
*s-- = '\0';
filterop = *s;
if (filterop == '<' || filterop == '>' || filterop == '~' ||
filterop == ':') {
*s = '\0';
}
if (! is_valid_attr(str)) {
goto free_and_return;
}
switch (filterop) {
case '<': /* LDAP_FILTER_LE */
case '>': /* LDAP_FILTER_GE */
case '~': /* LDAP_FILTER_APPROX */
break;
case ':': /* extended filter - v3 only */
/*
* extended filter looks like this:
*
* [type][':dn'][':'oid]':='value
*
* where one of type or :oid is required.
*
*/
s2 = s3 = NULL;
if ((s2 = strrchr(str, ':')) == NULL) {
goto free_and_return;
}
if (strcasecmp(s2, ":dn") == 0) {
*s2 = '\0';
} else {
*s2 = '\0';
if ((s3 = strrchr(str, ':')) != NULL) {
if (strcasecmp(s3, ":dn") != 0) {
goto free_and_return;
}
*s3 = '\0';
}
}
if (unescape_filterval(value) < 0) {
goto free_and_return;
}
rc = 0;
goto free_and_return;
/* break; */
default:
if (find_star(value) == NULL) {
ftype = 0; /* LDAP_FILTER_EQUALITY */
} else if (strcmp(value, "*") == 0) {
ftype = 1; /* LDAP_FILTER_PRESENT */
} else {
rc = adj_substring_filter(value);
goto free_and_return;
}
break;
}
if (ftype != 0) { /* == LDAP_FILTER_PRESENT */
rc = 0;
} else if (unescape_filterval(value) >= 0) {
rc = 0;
}
if (rc != -1) {
rc = 0;
}
free_and_return:
free(str);
return (rc);
}
/*
* Check in place both LDAPv2 (RFC-1960) and LDAPv3 (hexadecimal) escape
* sequences within the null-terminated string 'val'.
*
* If 'val' contains invalid escape sequences we return -1.
* Otherwise return 1
*/
static int
unescape_filterval(char *val)
{
int escape, firstdigit;
char *s;
firstdigit = 0;
escape = 0;
for (s = val; *s; s++) {
if (escape) {
/*
* first try LDAPv3 escape (hexadecimal) sequence
*/
if (hexchar2int(*s) < 0) {
if (firstdigit) {
/*
* LDAPv2 (RFC1960) escape sequence
*/
escape = 0;
} else {
return (-1);
}
}
if (firstdigit) {
firstdigit = 0;
} else {
escape = 0;
}
} else if (*s != '\\') {
escape = 0;
} else {
escape = 1;
firstdigit = 1;
}
}
return (1);
}
/*
* convert character 'c' that represents a hexadecimal digit to an integer.
* if 'c' is not a hexidecimal digit [0-9A-Fa-f], -1 is returned.
* otherwise the converted value is returned.
*/
static int
hexchar2int(char c)
{
if (c >= '0' && c <= '9') {
return (c - '0');
}
if (c >= 'A' && c <= 'F') {
return (c - 'A' + 10);
}
if (c >= 'a' && c <= 'f') {
return (c - 'a' + 10);
}
return (-1);
}
static int
adj_substring_filter(char *val)
{
char *nextstar;
for (; val != NULL; val = nextstar) {
if ((nextstar = find_star(val)) != NULL) {
*nextstar++ = '\0';
}
if (*val != '\0') {
if (unescape_filterval(val) < 0) {
return (-1);
}
}
}
return (0);
}
/* ***** End of modified libldap.so.5 filter parser ***** */
/*
* Walk filter, remove redundant parentheses in-line
* verify that the filter is reasonable
*/
static int
validate_filter(ns_ldap_cookie_t *cookie)
{
char *filter = cookie->filter;
int rc;
/* Parse filter looking for illegal values */
rc = adj_filter(filter);
if (rc != 0) {
return (NS_LDAP_OP_FAILED);
}
/* end of filter checking */
return (NS_LDAP_SUCCESS);
}
/*
* Set the account management request control that needs to be sent to server.
* This control is required to get the account management information of
* a user to do local account checking.
*/
static int
setup_acctmgmt_params(ns_ldap_cookie_t *cookie)
{
LDAPControl *req = NULL, **requestctrls;
req = (LDAPControl *)malloc(sizeof (LDAPControl));
if (req == NULL)
return (NS_LDAP_MEMORY);
/* fill in the fields of this new control */
req->ldctl_iscritical = 1;
req->ldctl_oid = strdup(NS_LDAP_ACCOUNT_USABLE_CONTROL);
if (req->ldctl_oid == NULL) {
free(req);
return (NS_LDAP_MEMORY);
}
req->ldctl_value.bv_len = 0;
req->ldctl_value.bv_val = NULL;
requestctrls = (LDAPControl **)calloc(2, sizeof (LDAPControl *));
if (requestctrls == NULL) {
ldap_control_free(req);
return (NS_LDAP_MEMORY);
}
requestctrls[0] = req;
cookie->p_serverctrls = requestctrls;
return (NS_LDAP_SUCCESS);
}
/*
* int get_new_acct_more_info(BerElement *ber,
* AcctUsableResponse_t *acctResp)
*
* Decode the more_info data from an Account Management control response,
* when the account is not usable and when code style is from recent LDAP
* servers (see below comments for parse_acct_cont_resp_msg() to get more
* details on coding styles and ASN1 description).
*
* Expected BER encoding: {tbtbtbtiti}
* +t: tag is 0
* +b: TRUE if inactive due to account inactivation
* +t: tag is 1
* +b: TRUE if password has been reset
* +t: tag is 2
* +b: TRUE if password is expired
* +t: tag is 3
* +i: contains num of remaining grace, 0 means no grace
* +t: tag is 4
* +i: contains num of seconds before auto-unlock. -1 means acct is locked
* forever (i.e. until reset)
*
* Asumptions:
* - ber is not null
* - acctResp is not null and is initialized with default values for the
* fields in its AcctUsableResp.more_info structure
* - the ber stream is received in the correct order, per the ASN1 description.
* We do not check this order and make the asumption that it is correct.
* Note that the ber stream may not (and will not in most cases) contain
* all fields.
*/
static int
get_new_acct_more_info(BerElement *ber, AcctUsableResponse_t *acctResp)
{
int rc = NS_LDAP_SUCCESS;
char errstr[MAXERROR];
ber_tag_t rTag = LBER_DEFAULT;
ber_len_t rLen = 0;
ber_int_t rValue;
char *last;
int berRC = 0;
/*
* Look at what more_info BER element is/are left to be decoded.
* look at each of them 1 by 1, without checking on their order
* and possible multi values.
*/
for (rTag = ber_first_element(ber, &rLen, &last);
rTag != LBER_END_OF_SEQORSET;
rTag = ber_next_element(ber, &rLen, last)) {
berRC = 0;
switch (rTag) {
case 0 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE:
/* inactive */
berRC = ber_scanf(ber, "b", &rValue);
if (berRC != LBER_ERROR) {
(acctResp->AcctUsableResp).more_info.
inactive = (rValue != 0) ? 1 : 0;
}
break;
case 1 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE:
/* reset */
berRC = ber_scanf(ber, "b", &rValue);
if (berRC != LBER_ERROR) {
(acctResp->AcctUsableResp).more_info.reset
= (rValue != 0) ? 1 : 0;
}
break;
case 2 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE:
/* expired */
berRC = ber_scanf(ber, "b", &rValue);
if (berRC != LBER_ERROR) {
(acctResp->AcctUsableResp).more_info.expired
= (rValue != 0) ? 1 : 0;
}
break;
case 3 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE:
/* remaining grace */
berRC = ber_scanf(ber, "i", &rValue);
if (berRC != LBER_ERROR) {
(acctResp->AcctUsableResp).more_info.rem_grace
= rValue;
}
break;
case 4 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE:
/* seconds before unlock */
berRC = ber_scanf(ber, "i", &rValue);
if (berRC != LBER_ERROR) {
(acctResp->AcctUsableResp).more_info.
sec_b4_unlock = rValue;
}
break;
default :
(void) sprintf(errstr,
gettext("invalid reason tag 0x%x"), rTag);
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
if (berRC == LBER_ERROR) {
(void) sprintf(errstr,
gettext("error 0x%x decoding value for "
"tag 0x%x"), berRC, rTag);
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
}
if (rc != NS_LDAP_SUCCESS) {
/* exit the for loop */
break;
}
}
return (rc);
}
/*
* int get_old_acct_opt_more_info(BerElement *ber,
* AcctUsableResponse_t *acctResp)
*
* Decode the optional more_info data from an Account Management control
* response, when the account is not usable and when code style is from LDAP
* server 5.2p4 (see below comments for parse_acct_cont_resp_msg() to get more
* details on coding styles and ASN1 description).
*
* Expected BER encoding: titi}
* +t: tag is 2
* +i: contains num of remaining grace, 0 means no grace
* +t: tag is 3
* +i: contains num of seconds before auto-unlock. -1 means acct is locked
* forever (i.e. until reset)
*
* Asumptions:
* - ber is a valid BER element
* - acctResp is initialized for the fields in its AcctUsableResp.more_info
* structure
*/
static int
get_old_acct_opt_more_info(ber_tag_t tag, BerElement *ber,
AcctUsableResponse_t *acctResp)
{
int rc = NS_LDAP_SUCCESS;
char errstr[MAXERROR];
ber_len_t len;
int rem_grace, sec_b4_unlock;
switch (tag) {
case 2:
/* decode and maybe 3 is following */
if ((tag = ber_scanf(ber, "i", &rem_grace)) == LBER_ERROR) {
(void) sprintf(errstr, gettext("Can not get "
"rem_grace"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
(acctResp->AcctUsableResp).more_info.rem_grace = rem_grace;
if ((tag = ber_peek_tag(ber, &len)) == LBER_ERROR) {
/* this is a success case, break to exit */
(void) sprintf(errstr, gettext("No more "
"optional data"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
break;
}
if (tag == 3) {
if (ber_scanf(ber, "i", &sec_b4_unlock) == LBER_ERROR) {
(void) sprintf(errstr,
gettext("Can not get sec_b4_unlock "
"- 1st case"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
(acctResp->AcctUsableResp).more_info.sec_b4_unlock =
sec_b4_unlock;
} else { /* unknown tag */
(void) sprintf(errstr, gettext("Unknown tag "
"- 1st case"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
break;
case 3:
if (ber_scanf(ber, "i", &sec_b4_unlock) == LBER_ERROR) {
(void) sprintf(errstr, gettext("Can not get "
"sec_b4_unlock - 2nd case"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
(acctResp->AcctUsableResp).more_info.sec_b4_unlock =
sec_b4_unlock;
break;
default: /* unknown tag */
(void) sprintf(errstr, gettext("Unknown tag - 2nd case"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
return (rc);
}
/*
* **** This function needs to be moved to libldap library ****
* parse_acct_cont_resp_msg() parses the message received by server according to
* following format (ASN1 notation):
*
* ACCOUNT_USABLE_RESPONSE::= CHOICE {
* is_available [0] INTEGER,
* ** seconds before expiration **
* is_not_available [1] more_info
* }
* more_info::= SEQUENCE {
* inactive [0] BOOLEAN DEFAULT FALSE,
* reset [1] BOOLEAN DEFAULT FALSE,
* expired [2] BOOLEAN DEFAULT FALSE,
* remaining_grace [3] INTEGER OPTIONAL,
* seconds_before_unlock [4] INTEGER OPTIONAL
* }
*/
/*
* #define used to make the difference between coding style as done
* by LDAP server 5.2p4 and newer LDAP servers. There are 4 values:
* - DS52p4_USABLE: 5.2p4 coding style, account is usable
* - DS52p4_NOT_USABLE: 5.2p4 coding style, account is not usable
* - NEW_USABLE: newer LDAP servers coding style, account is usable
* - NEW_NOT_USABLE: newer LDAP servers coding style, account is not usable
*
* An account would be considered not usable if for instance:
* - it's been made inactive in the LDAP server
* - or its password was reset in the LDAP server database
* - or its password expired
* - or the account has been locked, possibly forever
*/
#define DS52p4_USABLE 0x00
#define DS52p4_NOT_USABLE 0x01
#define NEW_USABLE 0x00 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE
#define NEW_NOT_USABLE 0x01 | LBER_CLASS_CONTEXT | LBER_CONSTRUCTED
static int
parse_acct_cont_resp_msg(LDAPControl **ectrls, AcctUsableResponse_t *acctResp)
{
int rc = NS_LDAP_SUCCESS;
BerElement *ber;
ber_tag_t tag;
ber_len_t len;
int i;
char errstr[MAXERROR];
/* used for any coding style when account is usable */
int seconds_before_expiry;
/* used for 5.2p4 coding style when account is not usable */
int inactive, reset, expired;
if (ectrls == NULL) {
(void) sprintf(errstr, gettext("Invalid ectrls parameter"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
return (NS_LDAP_INVALID_PARAM);
}
for (i = 0; ectrls[i] != NULL; i++) {
if (strcmp(ectrls[i]->ldctl_oid, NS_LDAP_ACCOUNT_USABLE_CONTROL)
== 0) {
break;
}
}
if (ectrls[i] == NULL) {
/* Ldap control is not found */
(void) sprintf(errstr, gettext("Account Usable Control "
"not found"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
return (NS_LDAP_NOTFOUND);
}
/* Allocate a BER element from the control value and parse it. */
if ((ber = ber_init(&ectrls[i]->ldctl_value)) == NULL)
return (NS_LDAP_MEMORY);
if ((tag = ber_peek_tag(ber, &len)) == LBER_ERROR) {
/* Ldap decoding error */
(void) sprintf(errstr, gettext("Error decoding 1st tag"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
ber_free(ber, 1);
return (NS_LDAP_INTERNAL);
}
switch (tag) {
case DS52p4_USABLE:
case NEW_USABLE:
acctResp->choice = 0;
if (ber_scanf(ber, "i", &seconds_before_expiry)
== LBER_ERROR) {
/* Ldap decoding error */
(void) sprintf(errstr, gettext("Can not get "
"seconds_before_expiry"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
/* ber_scanf() succeeded */
(acctResp->AcctUsableResp).seconds_before_expiry =
seconds_before_expiry;
break;
case DS52p4_NOT_USABLE:
acctResp->choice = 1;
if (ber_scanf(ber, "{bbb", &inactive, &reset, &expired)
== LBER_ERROR) {
/* Ldap decoding error */
(void) sprintf(errstr, gettext("Can not get "
"inactive/reset/expired"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
/* ber_scanf() succeeded */
(acctResp->AcctUsableResp).more_info.inactive =
((inactive == 0) ? 0 : 1);
(acctResp->AcctUsableResp).more_info.reset =
((reset == 0) ? 0 : 1);
(acctResp->AcctUsableResp).more_info.expired =
((expired == 0) ? 0 : 1);
(acctResp->AcctUsableResp).more_info.rem_grace = 0;
(acctResp->AcctUsableResp).more_info.sec_b4_unlock = 0;
if ((tag = ber_peek_tag(ber, &len)) == LBER_ERROR) {
/* this is a success case, break to exit */
(void) sprintf(errstr, gettext("No optional data"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
break;
}
/*
* Look at what optional more_info BER element is/are
* left to be decoded.
*/
rc = get_old_acct_opt_more_info(tag, ber, acctResp);
break;
case NEW_NOT_USABLE:
acctResp->choice = 1;
/*
* Recent LDAP servers won't code more_info data for default
* values (see above comments on ASN1 description for what
* fields have default values & what fields are optional).
*/
(acctResp->AcctUsableResp).more_info.inactive = 0;
(acctResp->AcctUsableResp).more_info.reset = 0;
(acctResp->AcctUsableResp).more_info.expired = 0;
(acctResp->AcctUsableResp).more_info.rem_grace = 0;
(acctResp->AcctUsableResp).more_info.sec_b4_unlock = 0;
if (len == 0) {
/*
* Nothing else to decode; this is valid and we
* use default values set above.
*/
(void) sprintf(errstr, gettext("more_info is "
"empty, using default values"));
syslog(LOG_DEBUG, "libsldap: %s", errstr);
break;
}
/*
* Look at what more_info BER element is/are left to
* be decoded.
*/
rc = get_new_acct_more_info(ber, acctResp);
break;
default:
(void) sprintf(errstr, gettext("unknwon coding style "
"(tag: 0x%x)"), tag);
syslog(LOG_DEBUG, "libsldap: %s", errstr);
rc = NS_LDAP_INTERNAL;
break;
}
ber_free(ber, 1);
return (rc);
}
/*
* internal function for __ns_ldap_getAcctMgmt()
*/
static int
getAcctMgmt(const char *user, AcctUsableResponse_t *acctResp,
ns_conn_user_t *conn_user)
{
int scope, rc;
char ldapfilter[1024];
ns_ldap_cookie_t *cookie;
ns_ldap_search_desc_t **sdlist = NULL;
ns_ldap_search_desc_t *dptr;
ns_ldap_error_t *error = NULL;
char **dns = NULL;
char service[] = "shadow";
if (user == NULL || acctResp == NULL)
return (NS_LDAP_INVALID_PARAM);
/* Initialize State machine cookie */
cookie = init_search_state_machine();
if (cookie == NULL)
return (NS_LDAP_MEMORY);
cookie->conn_user = conn_user;
/* see if need to follow referrals */
rc = __s_api_toFollowReferrals(0,
&cookie->followRef, &error);
if (rc != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeError(&error);
goto out;
}
/* get the service descriptor - or create a default one */
rc = __s_api_get_SSD_from_SSDtoUse_service(service,
&sdlist, &error);
if (rc != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeError(&error);
goto out;
}
if (sdlist == NULL) {
/* Create default service Desc */
sdlist = (ns_ldap_search_desc_t **)calloc(2,
sizeof (ns_ldap_search_desc_t *));
if (sdlist == NULL) {
rc = NS_LDAP_MEMORY;
goto out;
}
dptr = (ns_ldap_search_desc_t *)
calloc(1, sizeof (ns_ldap_search_desc_t));
if (dptr == NULL) {
free(sdlist);
rc = NS_LDAP_MEMORY;
goto out;
}
sdlist[0] = dptr;
/* default base */
rc = __s_api_getDNs(&dns, service, &cookie->errorp);
if (rc != NS_LDAP_SUCCESS) {
if (dns) {
__s_api_free2dArray(dns);
dns = NULL;
}
(void) __ns_ldap_freeError(&(cookie->errorp));
cookie->errorp = NULL;
goto out;
}
dptr->basedn = strdup(dns[0]);
if (dptr->basedn == NULL) {
free(sdlist);
free(dptr);
if (dns) {
__s_api_free2dArray(dns);
dns = NULL;
}
rc = NS_LDAP_MEMORY;
goto out;
}
__s_api_free2dArray(dns);
dns = NULL;
/* default scope */
scope = 0;
rc = __s_api_getSearchScope(&scope, &cookie->errorp);
dptr->scope = scope;
}
cookie->sdlist = sdlist;
cookie->service = strdup(service);
if (cookie->service == NULL) {
rc = NS_LDAP_MEMORY;
goto out;
}
/* search for entries for this particular uid */
(void) snprintf(ldapfilter, sizeof (ldapfilter), "(uid=%s)", user);
cookie->i_filter = strdup(ldapfilter);
if (cookie->i_filter == NULL) {
rc = NS_LDAP_MEMORY;
goto out;
}
/* create the control request */
if ((rc = setup_acctmgmt_params(cookie)) != NS_LDAP_SUCCESS)
goto out;
/* Process search */
rc = search_state_machine(cookie, GET_ACCT_MGMT_INFO, 0);
/* Copy results back to user */
rc = cookie->err_rc;
if (rc != NS_LDAP_SUCCESS)
(void) __ns_ldap_freeError(&(cookie->errorp));
if (cookie->result == NULL)
goto out;
if ((rc = parse_acct_cont_resp_msg(cookie->resultctrl, acctResp))
!= NS_LDAP_SUCCESS)
goto out;
rc = NS_LDAP_SUCCESS;
out:
delete_search_cookie(cookie);
return (rc);
}
/*
* __ns_ldap_getAcctMgmt() is called from pam account management stack
* for retrieving accounting information of users with no user password -
* eg. rlogin, rsh, etc. This function uses the account management control
* request to do a search on the server for the user in question. The
* response control returned from the server is got from the cookie.
* Input params: username of whose account mgmt information is to be got
* pointer to hold the parsed account management information
* Return values: NS_LDAP_SUCCESS on success or appropriate error
* code on failure
*/
int
__ns_ldap_getAcctMgmt(const char *user, AcctUsableResponse_t *acctResp)
{
ns_conn_user_t *cu = NULL;
int try_cnt = 0;
int rc = NS_LDAP_SUCCESS;
ns_ldap_error_t *error = NULL;
for (;;) {
if (__s_api_setup_retry_search(&cu, NS_CONN_USER_SEARCH,
&try_cnt, &rc, &error) == 0)
break;
rc = getAcctMgmt(user, acctResp, cu);
}
return (rc);
}